WindowSecurity.com - Monthly Newsletter - January 2014

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MVP), Sales Engineering Director for Iron Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.

Editor's Corner

Happy New Year! 2014 is finally here, and you know what that means? That's right…Windows XP will no longer be supported this year. To be precise, all support for Windows XP ceases on April 8 this year. We've been talking about this for the last few years, encouraging businesses and consumers to migrate from Windows XP to at least Windows 7, ideally Windows 8.1. Aside from the lack of support, there are many compelling reasons to consider the latest release of Windows purely from a security standpoint. I've written extensively in the past in this newsletter about the new security capabilities in Windows 8.x. Windows 8 is much more resistant to malware than its predecessor, and includes many new features to provide stronger authentication. However, the reality is that there will still be many Windows XP systems running after the drop dead date of April 8, so what happens then? With the end of support also comes the end of security updates for Windows XP, which is the real issue. Of course there will still be new vulnerabilities discovered in Windows XP, leading to perpetual 0-day vulnerabilities for the legacy operating system. Is it possible to continue running Windows XP safely past April. In some very limited circumstances, perhaps. For most deployments, definitely not.

--Rich

Running Windows XP after April 2014

In an ideal world, when April 8, 2014 rolls around (the official end of support date for Windows XP), everyone will have successfully migrated to the latest version of Windows and XP will be a memory. Of course we all know that is never going to happen, for a variety of reasons. There will most certainly be a fair number of users, mostly consumer but probably many enterprises as well, who simply have their head buried in the sand and will continue running Windows XP because "it works". For them, they will reap the consequences they deserve, no doubt. Ignorance never pays off! However, for a significant number of people, migrating from Windows XP may be impossible. Perhaps due to an application that doesn't run on newer versions of Windows, or because Windows XP is embedded in some proprietary device. Examples of this would include point-of-sales terminals, medical devices, and many industrial control systems. For those that fall into these categories, here is some advice:

  • Application Compatibility – If you have an application that will run only on Windows XP and not on any later version of Windows, you should first ask yourself why you are still running this program. Seriously…Windows Vista was first introduced in 2006, giving your application vendor more than 7 years to update their code to run on it. If your decision was to bypass Windows Vista and instead wait for the release of Windows 7, that became available in 2009, which is still 4 years. If an upgrade is not available, perhaps it is time to consider alternative applications. Continuing to run legacy applications on Windows XP should be a last resort.
  • Embedded Devices/Industrial Control Systems – If your embedded device or industrial control system is still running Windows XP, it's time to talk to your vendor about options for in-place upgrades or replacement. This is probably an easier option for embedded devices like point-of-sale terminals and medical devices, but for industrial control systems it might not. Regardless, you should be placing pressure on your vendors to provide options to address this very serious concern.

If for whatever reason you are forced to run Windows XP after April 2014, my only advice to you is to pay extremely close attention to these systems. They should not, under any circumstances, be allowed to connect to the public Internet. At a minimum, identify all of your Windows XP systems and make certain that border routers and edge firewalls have the proper ACLs in place to prevent access to and from your XP devices. A better solution, although not foolproof, is to limit physical network connectivity for XP systems. Remember though that air gaps can be compromised too. Consider the Iranian centrifuges. They were most certainly not connected to external networks, yet they were infected with Stuxnet. You've been warned!

Faced with the very real possibility of perpetual 0-day vulnerabilities, it is vital that you greatly restrict both physical and network access to these systems. Make sure that your antimalware solution is up to day, which in the case of network-restricted systems will have to be done manually. Restrict the use of these machines to the bare minimum, running only the applications that are necessary. I would strongly discourage the general use of a Windows XP system, even with up-to-date antimalware installed. And finally, Windows XP systems in production after April 2014 should be monitored very diligently. Pay close attention to any unusual network activity generated by XP systems and watch the event logs for signs of compromise.

In the words of Leslie Nielsen's character Dr. Rumack in the 1980 movie Airplane!, "Good luck, we're all counting on you." ;)

Practical IPv6 for Windows Administrators

With the rapid depletion of the global IPv4 address pool, the adoption of IPv6 is growing significantly. The total exhaustion of public IPv4 addresses is inevitable, making IPv6 knowledge an important and essential skill that network engineers and systems administrators will need to have to be successful. While there are some excellent IPv6 references available today, until now there has been a lack of practical, real-world implementation guidance for IPv6. Until now! Practical IPv6 for Windows Administrators provides detailed information necessary for network engineers and systems administrators planning to deploy IPv6 on their corporate networks. It covers important topics such as IPv6 address assignment and name resolution, along with specific IPv6 integration information for Microsoft services such as Exchange, SQL, SharePoint, Hyper-V, and more.

IPv4 is a dead man walking. IPv6 is the way of the future; in fact, it is here now! Order your copy of Practical IPv6 for Windows Administrators today.

Image

Click here to order your copy today!

Microsoft Security Bulletins for January 2014

For the month of January, Microsoft released just 4 security bulletins, all of which are rated as important (this month's light load is probably welcome to most, as it will allow them additional time to deploy all of the Adobe and Oracle updates – more on that later!) However, MS14-001, which addresses a vulnerability in Microsoft Word and Office Web Apps is remotely exploitable and should probably be treated as critical. Affected software includes all Windows XP and Windows Server 2003 operating systems, all supported versions of Microsoft Office, SharePoint Server 2010 and 2013, Microsoft Office Web Apps 2010 and 2013, and Microsoft Dynamics AX 4.0, 2009, 2012, and 2012 R2. Second Tuesday this month also included some non-security updates to Windows 7, Windows Server 2008 R2, and Windows 8.x/RT. Microsoft has also re-released security update MS13-081 which addressed a vulnerability in Windows kernel-mode drivers that could allow remote code execution on Windows 7 and Windows Server 2008 R2 systems. This update was removed previously due to potential conflicts with third-party USB drivers. For more information about January's security bulletins click here.

Security Articles of Interest

  1. As I just mentioned, this month there are lots of Adobe and Oracle updates to grapple with. Adobe has released updates for numerous products, including Acrobat, Acrobat Reader, Air, and Flash Player. More details here:
    http://helpx.adobe.com/security/products/acrobat/apsb14-01.html
    http://helpx.adobe.com/security/products/flash-player/apsb14-02.html

    Oracle has released updates that contain a whopping 144 security fixes across 46 of its products. Java accounts for 36 of them, 34 of which are remotely exploitable.
    http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

  2. Since the last WindowSecurity.com newsletter, Target Stores was hit with a massive data breach affecting, by some accounts, as many as 100 million individuals. Credit card data was accessed for a period of nearly three weeks just after the U.S. Thanksgiving holiday, a period when shopping for the holiday season is in full swing. According to some reports, the attackers appear to have planted malware on point-of-sale (PoS) systems and, for some strange and inexplicable reason, the card data was not encrypted between the card reader and the PoS terminal. Making matters worse, attackers were apparently able to exfiltrate this stolen data using FTP. This last point concerns me deeply, as it indicates that egress filtering was poor or non-existent (RSA was guilty of this in their breach too!).
    http://www.reuters.com/article/2013/12/19/us-target-breach-idUSBRE9BH1GX20131219
    http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
    http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/

  3. Recently there has been much confusion regarding the support of Microsoft Security Essentials (MSE), Microsoft's free antimalware software for Windows XP, Vista, and Windows 7. It was originally thought that Microsoft would no longer support MSE on Windows XP when XP ended support in April. However, that appears not to be the case. According to Microsoft, they will continue support for MSE with virus signature updates through July 14, 2015. Note that this also applies to enterprise antimalware solutions such as System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune running on XP. More details here:
    http://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-support-for-windows-xp.aspx

  4. The good guys score another victory! Recently Microsoft took control of the Sirefef botnet, also known as the ZeroAccess botnet. While monitoring the command and control traffic to the botnet, recent messages to infected computers included the message "white flag", indicating that the criminals have surrendered the network.
    http://blogs.technet.com/b/microsoft_blog/archive/2013/12/19/zeroaccess-criminals-wave-white-flag-the-impact-of-partnerships-on-cybercrime.aspx

  5. Part of the fallout of the recently revealed NSA spying is that organizations everywhere are now beginning to encrypt data with more diligence. Mark Russonivich, along with others at Microsoft, are now focusing their efforts on data encryption for all communication to and among endpoints in the Windows Azure public cloud. Of particular interest is inter-datacenter communication, for which evidence exists that the NSA was tapping and monitoring. By enabling encrypted communication by default, and encrypting close to the endpoints, Microsoft can prevent this unlawful interception of communication.
    http://www.wired.com/wiredenterprise/2013/12/microsoft-nsa/

  6. The U.S. military is undergoing an effort to reduce the number of entry points on their data networks. As a form of attack surface reduction, having fewer entry/exit points makes it easier to monitor and defend. Once complete, they will have reduced the number of network entry points from 120 down to just 16. Private enterprise organizations would do well to follow this advice and review their current network configuration to determine if entry point consolidation is necessary.
    http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=1367

  7. Distributed Denial-of-Service (DDoS) attacks have been around for many years, and using DNS amplification has been a popular attack vector for cybercriminals. However, recently it was learned that some ingenious attackers have figured out how to leverage the Network Time Protocol (NTP) for leveraging DDoS attacks. The attack takes advantage of older NTP implementations. The attack can be mitigated by restricting access to specific commands or simply updating to a later version of NTP.
    http://www.darkreading.com/attacks-breaches/attackers-wage-network-time-protocol-bas/240165063

  8. Microsoft recently released a new whitepaper on Windows Azure network security. This whitepaper provides detailed information on all aspects of network security within Windows Azure. It provides implementation details for securing network access to Windows Azure Infrastructure-as-a-Service (IaaS) virtual machines using VPN and public endpoints. In addition, the paper includes guidance for securing virtual machine communication across subscriptions, remote management best practices, and DDoS mitigation techniques. You can download the whitepaper here:
    http://blogs.msdn.com/b/windowsazure/archive/2014/01/07/new-windows-azure-network-security-whitepaper.aspx
  9. A backdoor has recently been exposed in some Cisco small business devices. Certain Cisco routers and wireless access points have an "undocumented test interface" which can be exploited to gain access to the device. More details here:
    http://www.zdnet.com/backdoor-exposed-in-cisco-small-business-devices-7000025059/

WindowSecurity.com Articles of Interest

  1. Securing Service Accounts – Part 2
  2. ScriptLogic Active Administrator voted WindowSecurity.com Reader's Choice Award Winner for Network Auditing Solutions
  3. The Evolution of Microsoft Rights Management Services (RMS) – Part 2
  4. Developing an Information Security and Risk Management Strategy – Part 1

Windows Security Tip of the Month

If you're planning to migrate from Windows XP to Windows 7 or Windows 8.x, have a look at the Microsoft Application Compatibility Toolkit (ACT) v5.6. This toolkit enables administrators to evaluate the compatibility of applications on the most recent versions of the Windows operating system. This is an invaluable tool that can save significant time and effort migrating applications from XP to Windows 7/8.x. ACT allows you to verify compatibility for your application for updates to Windows and most importantly test your application for issues related to User Account Control (UAC), which is most likely the biggest pain point for applications written for Windows XP. It also allows you to test how applications perform when running as a standard user, which can result in significantly improved security posture and increased resistance to malware. The ACT also includes an Internet Explorer compatibility test tool to verify how your applications work with the latest versions of Internet Explorer. You can learn more about ACT here, and download the latest version of ACT here.