WindowSecurity.com - Monthly Newsletter - October 2014

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


Editor's Corner

It’s been a busy month for information security professionals, and that’s never a good thing. Looking over the important items in the news since the last newsletter, there have been two serious security vulnerabilities discovered, a handful of significant data breaches, and major changes at Microsoft that will have important implications for how security is handled at Microsoft in the future. Each month when I sit down to write the newsletter I try to focus on a single, relevant topic pertaining to recent security news. However, there are a number of important topics that I’d like to discuss, so this month will be a little different.

--Rich

Vulnerabilities, Data Breaches, and Microsoft Trustworthy Computing

It’s not been a good year for the open source camp with regard to security. After the Heartbleed vulnerability in April, yet another serious, remotely executable vulnerability in the Bourne Again Shell (Bash) used by most Linux distributions was discovered. Dubbed “Shellshock”, this latest vulnerability has the potential to be as problematic as Heartbleed, perhaps even more. Certainly the attack surface is much more substantial, as most Linux servers are running Bash, but a much smaller percentage are running web server software. Sadly, this vulnerability has existed in the Bash shell for more than two decades, further debunking the myth that open source software is inherently more secure than commercial software.

Right around the same time as the Shellshock vulnerability was discovered, security researchers at Google announced that they had identified a serious vulnerability in SSL 3.0. The "POODLE" attack (Padding Oracle on Downgraded Legacy Encryption) leverages a vulnerability with Cipher Block Chaining (CBC) cipher suites used with SSL 3.0. To be successful, an attacker must mount a man-in-the-middle attack to control the communication between a client and server and inject JavaScript code in to the browser. If a TLS session is established, an attacker can force a fallback to SSL 3.0 and by making a series of requests can discover sensitive information (e.g. cookie data or authorization headers). The vulnerability exists in the protocol itself, and one suggested workaround is to disable the use of CBC cipher suites. However, this is less than ideal because the alternative, using stream ciphers, also presents its own security risks. Because SSL 3.0 is an old, outdated protocol that is still implemented for backward compatibility for legacy applications, it is generally recommended that the use of SSL 3.0 be discontinued entirely. Details for disabling SSL 3.0 on Windows systems can be found here.

The last month also included several data breaches for prominent U.S. companies, including a massive data breach for the U.S. financial institution JP Morgan Chase. The JP Morgan Chase breach is particularly troublesome because, unlike breaches where credit card information is compromised, this breach included personally identifiable information such as names, addresses, phone numbers, and email addresses. If a credit card is compromised, it can easily be reissued. However, the loss of personal information like names and addresses are not so easily rectified; and worse, this information can later be used to perform identity fraud. The JP Morgan Chase breach was caused by the improper configuration of an internal reporting server which was inadvertently left open to the public Internet. Search engines duly indexed the content, and when discovered by attackers they no doubt had a field day. Making matters worse, one of the pages indexed included a username and password that could be used to access pretty much all data on the server. Rounding out the major data breaches last month were K-Mart Stores, where attackers used malware to steal payment card information, likely affecting customers who shopped at any one of the retail firm’s 1200 locations. In addition, Dairy Queen confirmed that nearly 400 of its retail locations were breached by attackers who installed malware on their point-of-sales systems.

The last topic of discussion for this month’s WindowSecurity.com monthly newsletter is changes at Microsoft’s Trustworthy Computing (TwC) group. Microsoft recently announced that it would be disbanding the TwC as a standalone organization and instead move those responsibilities and resources in to the various divisions in the company. The stated goal for this effort is to more tightly integrate security in to the engineering teams, and to be more effective in the new fast-paced cloud-centric world we live in today. The TwC team is now a part of the Cloud and Enterprise division and will continue to be led by Scott Charney. Microsoft has certainly made tremendous strides with regard to security over the last ten to fifteen years. Let’s hope these new changes result in continued progress moving forward.

Practical IPv6 for Windows Administrators

With the rapid depletion of the global IPv4 address pool, the adoption of IPv6 is growing significantly. The total exhaustion of public IPv4 addresses is inevitable, making IPv6 knowledge an important and essential skill that network engineers and systems administrators will need to have to be successful. While there are some excellent IPv6 references available today, until now there has been a lack of practical, real-world implementation guidance for IPv6. Until now! Practical IPv6 for Windows Administrators provides detailed information necessary for network engineers and systems administrators planning to deploy IPv6 on their corporate networks. It covers important topics such as IPv6 address assignment and name resolution, along with specific IPv6 integration information for Microsoft services such as Exchange, SQL, SharePoint, Hyper-V, and more.

IPv4 is a dead man walking. IPv6 is the way of the future; in fact, it is here now! Order your copy of Practical IPv6 for Windows Administrators today.

Image

Click here to order your copy today!


Microsoft Security Bulletins for October 2014

For the month of October, Microsoft released 8 security bulletins to address 24 individual CVEs. 3 of them are rated critical and 5 are rated important. Affected software includes Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer. For more information about October’s security bulletins click here

Microsoft Security Advisories for October 2014

Microsoft has also published five security advisories this month. Microsoft security advisory 2977292 addresses an update for Microsoft EAP implementations that enables the use of TLS for all supported operating systems, client and server. Microsoft also updated security advisory 2755801 to address an update for vulnerabilities in Adobe Flash Player in Internet Explorer, and security advisory 2871997 which addresses an update to improve credential protection and management in Windows. In addition, to address the security vulnerability in SSL 3.0 exposed by the POODLE attack, Microsoft released security advisory 3009008. Finally, security advisory 2949927 announces the availability of SHA-2 hashing algorithm for Windows 7 and Windows Server 2008 R2. This will be critical for security administrators as they plan to phase out the use of SHA-1 digital certificates in their organization.

 


Security Articles of Interest

  1. The “Shellshock” vulnerability in the Bash shell in Linux was one of the main security stories this month. As I mentioned previously in this newsletter, this vulnerability affects the majority of Linux systems in use today. The vulnerability is remotely exploitable and has the potential to be even more problematic than Heartbleed.
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
    http://arstechnica.com/security/2014/09/concern-over-bash-vulnerability-grows-as-exploit-reported-in-the-wild/
    http://www.incapsula.com/blog/shellshock-bash-vulnerability-aftermath.html 
  2. If Shellshock weren’t enough, the announcement of a vulnerability in the SSL 3.0 protocol has security administrators scrambling to assess their risk and exposure and to implement mitigations. POODLE is fundamentally an exploitation of protocol downgrade combined with a flaw in the way SSL 3.0 works with CBC cipher suites. Details about the attack can be found here:
    http://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844
    https://www.imperialviolet.org/2014/10/14/poodle.html
    http://blog.ivanristic.com/2014/10/ssl3-is-dead-killed-by-poodle.html
    http://www.troyhunt.com/2014/10/everything-you-need-to-know-about.html
  3. To address the security vulnerability in SSL 3.0 used by the POODLE attack, Microsoft released security advisory 3009008 that includes information on how to disable the use of SSL 3.0 on Microsoft Windows clients and servers.
    https://technet.microsoft.com/en-us/library/security/3009008.aspx
  4. As I outlined at the beginning of this month’s newsletter, there were a number of data breaches reported this month by various U.S. retailers including JP Morgan Chase, K-Mart, and Dairy Queen.
    https://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-insurer/
    http://threatpost.com/kmart-latest-retail-chain-to-disclose-payment-card-breach/108829
    http://dq.com/us-en/datasecurityincident/Press-Release/
  5. Microsoft’s Trustworthy Computing (TwC) Group is undergoing significant changes. The group has been disbanded as a standalone group within the company and is being integrated in to the various engineering groups throughout the organization. Details about the changes to TwC and the group can be found here:
    http://www.geekwire.com/2014/microsoft-closing-standalone-trustworthy-computing-group-folding-work-units/
    http://blogs.microsoft.com/cybertrust/2014/09/22/looking-forward-trustworthy-computing/
  6. With all the security vulnerabilities and data breaches this month, now would be a good time to seriously consider implementing strong authentication in your organization wherever possible. Employing multifactor authentication (MFA) can greatly improve your security posture by providing a much higher level of assurance that the user is indeed who they claim to be. The benefit here is that it is much more difficult for an attacker to masquerade as a legitimate user using stolen credentials. MFA solutions are a commodity these days, with many vendors offering both on-premises and cloud-based solutions.
    http://blogs.microsoft.com/cybertrust/2014/09/16/cybercrime-data-protection-and-multi-factor-authentication-mfa/
  7. No sooner was the Microsoft Enhanced Mitigation Experience Toolkit (EMET) v5.0 released than security researchers discovered a way to circumvent some of its controls. Surprised? You shouldn’t be. This is the way of the world! Mitigating security vulnerabilities is a never ending arms race between the good guys and the bad guys. EMET is no different. Of course you are still much better off when EMET is deployed than you are without it, so be sure to have a look at it soon.
    http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass
  8. The U.S. Department of Justice (DOJ) has asked the Federal Bureau of Investigation (FBI) to grant them permission to hack in to systems of users that use VPN or anonymizing services such as Tor. This is extremely dangerous, in my opinion. The implication here is that if you are using Tor or a VPN that you are doing something criminal. However, the act of hiding in and of itself does not necessarily imply that’s the case. There are countless reasons for using services such as these, both good and bad. Unfortunately, the solution is not to allow hacking by the federal government. If passed, this would become a very slippery slope indeed.
    http://www.networkworld.com/article/2686187/microsoft-subnet/doj-wants-to-give-the-fbi-permission-to-hack-into-pcs-of-tor-and-vpn-users.html
  9. The U.S. White House issued an executive order this week to implement the use of “chip and pin” to secure new and existing government credit and debit cards. While on the surface this sounds like a good idea, and no doubt it will have some positive benefits, it doesn’t address the whole problem with credit card fraud. Using chip and pin will only address “card present” fraud. It does nothing to mitigate the risks of stolen credit card information being used online. A better solution, in my opinion, would be to implement out-of-band two-factor authentication. This could be done easily using SMS text messaging or with a mobile application.
    http://www.whitehouse.gov/the-press-office/2014/10/17/fact-sheet-safeguarding-consumers-financial-security
    http://www.wired.com/2014/09/emv/
  10. Web Application Firewalls (WAF) are essential for protecting web servers, both internal and external facing. Hosting web sites on Microsoft Azure is an excellent option for public facing web sites and services, and recently Microsoft announced that you can implement the popular open source WAF ModSecurity.
    http://azure.microsoft.com/blog/2014/09/29/modsecurity-for-azure-websites/
  11. As organizations of all sizes migrate services to the cloud, Microsoft recently posted an article that outlines how they securely manage their cloud operations. Details here:
    http://blogs.microsoft.com/cybertrust/2014/10/01/trustworthy-cloud-series-managing-secure-cloud-operations/
  12. How do you know to trust your cloud vendor? Is them telling you “trust me” sufficient? I would hope not. But how do you communicate your trustworthiness to a potential customer? Richard Saunders, Director of Trustworthy Computing for Microsoft explains how.
    http://blogs.microsoft.com/cybertrust/2014/10/01/trustworthy-cloud-series-managing-secure-cloud-operations/
  13. Computer and software industry giant HP recently announced that it will revoke a digital certificate that was once used to sign software components that ship with many of its products. As it turns out, apparently this code signing certificate was inadvertently used to sign some malicious software in 2010.
    http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/
  14. Microsoft has announced that it is making changes in the way it detects adware. In addition to setting out guidelines for advertisers to follow so they aren’t detected as adware, Microsoft is also making changes in Internet Explorer aimed at preventing software from taking over the browser and preventing the users from making other changes to IE settings or from removing plugins.
    http://blogs.technet.com/b/mmpc/archive/2014/10/16/close-means-close-new-adware-detection-criteria.aspx http://blogs.technet.com/b/mmpc/archive/2014/10/17/staying-in-control-of-your-browser-new-detection-changes.aspx

WindowSecurity.com Articles of Interest

  1. Third-Party Software is a Security Threat – Part 1
  2. Planning Considerations for BYOD and Consumerization of IT (Part 4)
  3. Check Point VPN-1 UTM Voted WindowSecurity.com Readers’ Choice Award Winner – Firewall Solution
  4. Back to Basics: Groups vs. Organizations Units in Active Directory
  5. Shellshock the Bashbug Vulnerability
  6. Third-Party Software is a Security Threat – Part 2

Windows Security Tip of the Month

This month I’d like to share with you two online resources that will be essential for verifying that your POODLE attack mitigation efforts have been successful. The first is the Qualys SSL Labs server test site. By visiting this site and providing the name of your web site, the server will conduct a comprehensive evaluation of the SSL configuration for your site. In addition to evaluating authentication and certificate configuration, the site also evaluates protocols in use and will indicate if you have successfully mitigated the POODLE attack. On the client side, to ensure that your system and browser are not vulnerable to the POODLE attack, simply visit poodletest.com. If you see the Poodle, you’re vulnerable! If you see the Springfield Terrier, you are not.