Redmond: "Your VPN Can Be Hacked"
August 20th, Microsoft warned Windows Administrators of a so called "man-in-the-middle" attack that is able to steal passwords for some wireless networks and VPNs. There is no patch released, as this is a configuration issue.
Redmond's security advisory was their response to a Defcon session by security researcher Moxie Marlinspike. In a blog post written right after Defcon, he explained how he had been trying to crack MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) and said: "Even as an aging protocol with some prevalent criticism, it's still used quite pervasively...It shows up most notably in PPTP VPNs, and is also used quite heavily in WPA2 Enterprise environments."
Also at Defcon, Marlinspike released "Chapcrack," which is a new tool that parses data for passwords encrypted with MS-CHAP v2, then decodes these passwords using the CloudCracker password cracking service.
Microsoft acknowledged that this is a vulnerability: "An attacker who successfully exploited these cryptographic weaknesses could obtain user credentials," the Monday advisory stated. "Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource." Here is the technet link:
There is no patch for this, it's a configuration change that will fix the problem: "This issue is due to known cryptographic weaknesses in the MS-CHAP v2 protocol and is addressed through implementing configuration changes."
So what to do? Redmond recommended that you add PEAP (Protected Extensible Authentication Protocol) to secure passwords for VPN sessions, and a support document described how to configure servers and clients for PEAP.
Participate in ITIC 2012 Global Server and Server OS Reliability Survey
You can win an iPad and/or an iPod when you do! ITIC’s 2012 Global Server Hardware and Server OS Reliability survey is live!
This survey consists of multiple choice questions and one essay question. It polls corporations on their satisfaction with the reliability, uptime and security of the major server hardware and server OS platforms. It also gauges customer satisfaction with the pricing, service and support you receive from your vendors.
Are the servers and server operating systems performing up to expectations? Are they too expensive or too hard to use? Tell us what you think. We know that you’re busy. This survey should take only a few minutes to complete.
All responses are confidential. The survey is for informational purposes only.
No one will call or Email you with any sales pitches.
We are giving away a free iPad and a free iPod to the survey respondents who provide the most insightful response to the final essay question. Be sure to leave your email address along with your comment within the Essay question response. Once the survey is finalized, we'll publish the Executive Summary and survey highlights here. To further show our appreciation, anyone who completes the survey can get a complimentary copy of the Report once it's published by emailing: firstname.lastname@example.org. Here’s the survey link:
Quotes Of The Month
"You have enemies? Good. That means you've stood up for something, sometime in your life." -- Winston Churchill
"Death is not the worst that can happen to men." -- Plato
Editor, WindowSecurity.com Newsletter
Email me at email@example.com
Released: Kevin Mitnick Security Awareness Training
Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.
Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did:
30% Users Infected Per Year
According to the Radicati Group, a whopping 30 percent of corporate users are infected with malware every year. By employing the defense-in-depth strategy, taking the outer layer seriously (Policy, Procedures and Awareness) and deploying effective security awareness training, organizations can reduce the risk of security incidents dramatically. The numbers are shocking. The average 1,000 employee organization spends over $287,000 per year defending against and cleaning up after malware attacks. In these economic times, any measure that drives down those costs means more budget to invest elsewhere.
Let’s look at those numbers for just a moment, that’s $287 per employee per year. And that is for organizations of around 1,000 employees which benefit from economies of scale. For smaller organizations the cost per employee is likely to be higher. If you could spend $15 per employee per year for effective security awareness training , which could cut the number of malware infections dramatically, the return on investment is likely to be the most solid of your whole security budget. Find out how affordable the new Kevin Mitnick Security Awareness Training is for your organization:
Security Compliance and Microsoft SCM
The excellent Deb Shinder provides an overview of what SCM v. 2.5.40 does and how it does it. She started out with: “Compliance.” It’s a word that strikes fear in the hearts of everyone from the lowly IT pro to the folks in the executive suite. Between all the industry standards, federal and state mandates and regulatory agency rules and regulations, getting and staying in compliance with everything is increasingly becoming an ongoing challenge. Depending on your organization’s line of business, you may be required to comply with PCI standards, FISMA, HIPAA, GLB or SOX statutes, ISO standards and other requirements that you prove your systems and network meet a specified level of security." It's a worthwhile, in-depth article you do not want to miss.
6 Steps To Handle IT Security Incidents
New Guide from the National Institute of Standards and Technology. The National Institute of Standards and Technology has issued a revision of its guidance to help organizations establish programs to manage computer security incidents. NIST, in Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide, spells out what incident-response capabilities are necessary to rapidly detect incidents, minimize loss and destruction, mitigate weaknesses that were exploited and restore IT services.
ViewPoint - Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at firstname.lastname@example.org
SecOps: What You Need To Know
Mobile Security Updates 2012
WinSec author Ricky M. Magalhaes focuses on how you can improve the security of your mobile devices against new and old threats. "The first mobile virus was reported in 2004, a lot has happened since then with the emergence of mobile platforms like Android and iOS devices. Mobile devices are now the PC in your pocket so should we be applying the same level of security to these devices? Read the article.
Sysinternals Tools Updated
Deb Shinder wrote: "A while back, I did an article series for Windowsecurity.com about how to hunt down and kill malware with popular Sysinternals tools Autorun, Process Explorer and Process Monitor, developed by Mark Russinovich and distributed free by Microsoft. These and a couple of other Sysinternals tools (PsKill and RAMMap) have recently been updated with bug fixes and (in the case of RAMMap) new features/functionality that includes support for Windows 8. Read more here.
9 Popular IT Security Practices That Just Don't Work
Roger Grimes is one of my favorite IT authors. He's been writing a column for InfoWorld for many years. This one is particularly warmly recommended, as he makes a series of very good points. You should really read this entertaining article.
Free IT Tool Temptation
You are an IT pro and free IT tools definitely have an appeal. There are many positive sides like no license costs, no wait time for budget, and you really are not committing to anything. It's really only your time that is involved, right? Not so fast.
Granted, in a lot of cases, free tools are a great way to test a new way to solve a nettlesome problem and see if you can get to the bottom of something, or to see how it behaves in your network.
However, a lot of organizations get hooked on these type of tools, which can be a time sink... your time. Over the years, these tools eat away at your productivity, as (since they are free) they are not as stable as real production code and you need to spend more time troubleshooting.
So, there are hidden costs connected to free tools that you need to calculate in before you put them into a production environment. It might ultimately be more efficient to invest in a a simple to use, effective and flexible commercial solution that will allow you to complete your day-to-day tasks faster and more reliably.
Ex-Hacker Spills Secrets Of Fighting Social Engineering
Peter Bruzzese is an InfoWorld author with a lot of knowledge about end-user training. He just wrote an article about social engineering and how Kevin Mitnick has put 30 years of hacking experience in a 30-minute course. Here is the article.
Detect Hacking attempts with Google Analytics
Will Reynolds at SEER interactive wrote: "If someone was attempting to break into YOUR site, use YOUR bandwidth, or even use YOUR site to launch attacks against OTHER sites, would you know? How would you know? When would you know? Would you be able to detect the attack and stop it before it caused any damage? Or would you be stuck trying to cleanup after the attack was finished?
Recently at SEER interactive while examining some unusual traffic to a client’s website, we discovered that Google Analytics was picking up an attack against the site as legitimate traffic. With a little digging we found several key indicators which can help you determine if the traffic to your site is actually traffic, or if some of it is an attack against your site. Also included in this post, is a recommendation on how to handle an attack once discovered, and the end of this post is an Alert you can setup in Google Analytics that should email you if someone starts to launch attacks against your site.
Fave links & Cool Sites