WindowSecurity.com - Monthly Newsletter - July 2015

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

Recently a news story came to light that included two of my favorite topics – information security and baseball. As it turns out, the Major League Baseball Houston Astros incurred a data breach, and much proprietary and confidential information was made publicly available. More intriguing is that the primary suspects are employees of another baseball team, the St. Louis Cardinals. What was the motive? What information would another team have that might be valuable to a competitor? And, was it really hacking? Or perhaps something more benign and less sophisticated. Read on to learn more.

--Rich

Hacking and Baseball

I’m a huge baseball fan. Have been since I can remember. Although the game on the field is fundamentally unchanged from its oldest origins, America’s pastime has become quite modernized in the last few decades. The information age has had a profound effect on baseball, and today’s advanced data collection and analytics has altered the way the game is managed. There are mountains of information available on all aspects of player performance, and many organizations are using them to their advantage when it comes to competing on the field. Another area where data comes into play is with regard to player development. Finding talent is both an art and a science, and increasingly information from data is used in the process of assembling the team of players you see on the field. For all of these reasons and more, someone might seek to compromise another team’s systems to access this valuable data.

In this story, the FBI was called in after the Astros reported finding proprietary and confidential information posted to a public web site. The data included detailed information about player prospects (players they might wish to sign to a contract in the future) and private notes about players, deals, and more. Some of the notes turned out to be less than flattering, making the revelation a bit of an embarrassment for the Astros organization as well.

So what would a competing team have to gain by accessing this information? It’s hard to quantify a competitive advantage if the data included player performance data, because that changes rapidly. In fact, data older than a month or so might be completely useless. However, information about which players a team was interested in signing, along with information about proposed compensation plans might be tremendously beneficial. In fact, armed with information such as this, a competing team could prepare a bid that was slightly higher than theirs, but not so much that it would be giving away a lot of money. The possibilities are endless.

How did the hack take place? At this point we don’t know. The FBI is continuing the investigation, but there is evidence that employees of the St. Louis Cardinals were involved. You might ask yourself what do baseball executives know about hacking? I sure did. The answer is probably little. However, they might know people who know people, you know what I mean? In addition it is possible that this isn’t really “hacking” in the pure sense (e.g. exploiting a vulnerability to gain unauthorized access). It’s highly likely that it was simply poor identity management, with the attackers using known credentials or guessing passwords.

Why does any of this matter? Because I’m certain this same scenario plays out day after day across all verticals. No business is immune, from defense contractors to bakeries, from real estate companies to competitive sports franchises. Wherever there is competition, someone will be seeking an edge. Any advantage gained can make or break a business, and some who lack a moral compass will seek any way they can to gain that advantage, even resorting to cybercrime.

I guess we’ll find out more about this interesting story in the coming months. If it turns out to be someone from the Cardinals organization, I’d suggest that someone from the Astros drop in and nail one of their executives in the hip with a fastball (I’m old school like that).

2. Bulletproof SSL and TLS

With recent revelations of widespread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


3. Microsoft Security Bulletins for July 2015

For the month of July Microsoft released 15 security bulletins. 5 are rated critical and 10 important. Affected software includes Microsoft SQL Server, Internet Explorer, Office and Windows. Of particular importance this month is MS15-078 (an out-of-band release) that addresses a critical vulnerability in the Microsoft Font Driver that could allow remote code execution. Evidence exists that attack code is publicly available as this vulnerability was used recently in a high profile data breach. MS15-068 is an update for Microsoft Hyper-V that mitigates a vulnerability that could allow an attacker on a guest VM to execute code on the host. In addition, MS15-067 addresses a critical vulnerability in the ubiquitous and commonly used Remote Desktop Protocol (RDP) that could allow remote code execution.

For more information about July’s security bulletins click here.

4. Microsoft Security Advisories for July 2015

For the month of July, Microsoft released two new security advisories and updated one. Security advisory 3074162 addresses a vulnerability in the Microsoft Malicious Software Removal Tool that could allow elevation of privilege. Security advisory 3057154 is an update to harden the use of DES encryption beginning with Windows 7 and Windows Server 2008 R2. Microsoft also updated security advisory 2755801 which is an update for vulnerabilities in Adobe Flash Player in Internet Explorer.


5. Security Articles of Interest

  1. As I discussed at the beginning of this newsletter, allegations of computer “hacking” have been raised in Major League Baseball between the Houston Astros and the St. Louis Cardinals. When sensitive information from the Astros was found on a public web site, the FBI began investigating the breach. The moral of the story is that if you have data, someone else probably wants it…even in baseball.
    http://www.cnn.com/2015/07/03/politics/st-louis-cardinals-houston-astros-computer-intrusion/
  2. Many organizations lack essential visibility into credential use. With the proliferation of data breaches, compounded by username and password reuse and the alarming success of phishing attacks makes the monitoring of user accounts vitally important. Microsoft is offering customers new features and capabilities with Azure Active Directory that can help organizations identify anomalous user account activity in order to better protect their users.
    http://blogs.microsoft.com/cybertrust/2015/06/18/the-risk-of-leaked-credentials-and-how-microsofts-cloud-helps-protect-your-organization/
  3. If you’ve ever walked through the vendor exposition hall at a security conference you’ll know there are countless solutions focused on eradicating threats from malware. Clearly malware is a problem, but if you’re focusing most of your efforts on it, you might be missing other critical opportunities to improve your security posture. Many organizations make common mistakes when it comes to addressing malware. This article focuses on two common ones.
    http://www.darkreading.com/attacks-breaches/is-your-security-operation-hooked-on-malware/a/d-id/1320882
  4. Windows XP is dead. Long live Windows XP? Maybe. The U.S. Navy is still migrating away from Windows XP, and as such still requires support for the antiquated platform. In fact, they have agreed to pay Microsoft millions of dollars to keep their XP systems under support for at least two more years. I’m not sure which is more upsetting, the waste of taxpayer dollars for something they failed to plan for, or the fact that they are using such an insecure operating system in defense of our country!
    http://www.computerworld.com/article/2939435/government-it/us-navy-paid-millions-to-stay-on-windows-xp.html
  5. This story really made my blood boil. It came to light recently that Samsung was disabling Windows Update on some of its laptop computers in an effort to reduce support desk calls for their hardware platform. At issue is the fact that Microsoft sometimes releases drivers via Windows Update and apparently that was causing issues for Samsung support. Clearly this was the wrong way to address this issue. Putting customers in harm’s way by disabling critical updating infrastructure is a terrible practice.
    http://www.zdnet.com/article/microsoft-responds-to-samsung-disabling-windows-update/
  6. The Trusted Platform Module (TPM) is an essential component used to ensure the integrity of the device and operating system that resides on it. Recently the Trusted Computing Group (TCG) announced version 2.0 of the TPM library specification has been approved by the ISO/IEC Joint Technical Committee (JTC) 1 and will be included as part of ISO/IEC 11889:2015.
    http://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/
  7. The massive volume of data available to security administrators can be a blessing and a curse. The reality is that if a network is successfully compromised, often the evidence is buried in mountains of noise that make it difficult for analysts to detect. Chris Sanders draws analogies between security analytics and the medical field, sharing valuable insights that can reduce the time of incident detection and remediation.
    http://chrissanders.org/2015/06/investigations-prospective-data-collection/
  8. The Center for Internet Security (CISC) has invited public comments on the latest draft version of their Critical Security Controls (CSC).
    https://www.cisecurity.org/critical-controls.cfm
  9. Exchange PST files have long been the bane of many systems administrators simply for their often unwieldy size. However, from a security perspective they can be quite valuable targets for attackers. Getting rid of PST file usage should be a top priority for organizations seeking to reduce their attack surface. This is a great article that provides several options for dealing with legacy PST files.
    http://blogs.technet.com/b/exchange/archive/2015/07/08/deep-sixing-pst-files.aspx
  10. Multifactor authentication (MFA). You need it, trust me. And there is no easier way to deploy a multifactor authentication platform than with Azure MFA. The value of MFA is tremendous, significantly reducing the impact of credential theft. With Azure MFA you can even extend multifactor authentication to cloud-based applications and services as well.
    http://blogs.microsoft.com/cybertrust/2015/07/20/cloud-security-controls-series-multi-factor-authentication/


6. WindowSecurity.com Articles of Interest

  1. Windows 10 Trusted Computing Base a Comprehensive Security Strategy
  2. The Trouble with Security
  3. Windows 10 Varieties Explained – Choosing the Best Fit for You
  4. Active Directory in the Cloud – Part 1
  5. Video – Windows Service Account Finder and Reporter

7. Windows Security Tip of the Month

A common attack vector for cybercriminals is user accounts. If an attacker can compromise a user account, their job becomes infinitely easier. Gaining access to valid user credentials allows a criminal to masquerade as a valid user, making detection of malicious activity much more difficult. A common scenario plays out when a user leaves an organization (of their own choosing or otherwise) and their account is not disabled. Making things more problematic is the multitude of user repositories that must be accounted for when deprovisioning users. It is no longer enough to simply disable or delete a user’s account in Active Directory! Often the user will have accounts in multiple locations, including LDAP, RADIUS, and a host of cloud service providers. Federation aims to address some of these challenges, but the process with which provisioning and deprovisioning is managed is often incomplete. The current Microsoft solution for identity management is Microsoft Identity Manager (MIM). A replacement for the existing Forefront Identity Manager (FIM) platform, MIM integrates with on-premises and cloud-based platforms to streamline identity and privileged access management. You can use MIM to automate the process, which will reduce the likelihood of accounts left active when they should be disabled. For more information about MIM and for a link to participate in the public preview, click here.