Upgrade or Get Hacked (When Patch Available)

Did you hear the latest in Cybersecurity news?

  1. No not the news that Pizza Hut was hacked
  2. Not the news Hyatt Hotels were hacked.

BUT only the news that the supposed secure WPA2 Wifi Protocol is actually vulnerable to attacks. Which essentially means all current wifi access points are not secure.

CERT has a list of all the vendors with patches and affected vendor models.  CERT used to be Computer Emergency Response Team, but today it is at Carnegie Mellon University and still reviews the important vulnerabilities.

So you say…  Big deal another protocol is insecure the researchers say, just because it may be insecure if a person with knowledge can hack this then my wifi is going to be less secure, but what does it really mean?

It means it is another item to patch in a large schedule of patches (with Microsoft Windows, and other software also having to be patched.)

So we have to evaluate the actual risk and impact before allocating resources.

For one the hacker has to be close enough to your wifi station to see if they can hack your communications, this is not a recipe for mass mania. True,  but as usual it is only the high risk areas that have more to worry about. High risk as in protecting Social security numbers, and other PII (Personal Identifiable Information).

So the largest worry we have is that this patch is going to be ignored by most people, thus leaving 50% or more of wifi access points vulnerable to this attack. So the best thing that can happen here is that companies must evaluate their own situation and then make decisions with their resources as to when to patch this problem. It may not be easily hackable and must have proximity to wifi access points.  So in the future a seeming secure protocol is not until patched.

Unfortunately not everyone patches. As we mentioned before, 25% patch within first week,another 25% within first month, an additional 25% within 6 months. And some do not patch at all.

 

Obviously this is true since there are many ransomware outbreaks and they take advantage of basic patches not applied (vulnerabilities that take advantage of this).

So in the coming months as hackers develop better hacks (programs that take advantage of this vulnerability so the hacker can make money,  only then will the risk go higher and higher. And depending on impact of system affected it might actually get more dangerous for the companies not patching.

 

So everyone must have a patching regimen. Get going already – get a CISA tester on hand (like US – contact us).

 

Learning from Equifax Breach

I wish I could say that this post would be something new – like buy “xyz” product and perform handstands or something and all your problems are solved.

Unfortunately The Equifax breach likely happened due to unpatched systems. As even Equifax itself admitted¹:

 

So as we discuss this problem many times, how can a company with IT people and Cyber security people possibly miss patching  this kind of a vulnerability?

 

it is not as if the vulnerability is a minor one. this Apache Struts vulnerability is a severity 10 (on a scale of 1-10) and as I have mentioned before the time after a vulnerability is found the clock is ticking. The hackers try to exploit and companies try to patch the problems as soon as possible to prevent from happening what happened to Equifax. Rapid7² discusses the exploits available and what should be done.  (Solution: upgrade to latest apache-struts)

 

Somehow the upgrade process and patching of critical pieces of infrastructure is very difficult for organizations and thus they are susceptible to attacks. and will be until we as consumers can push them into fixing things.  How will we know if companies are patching? Someone has to audit them, someone like us (as a Certified Information Systems Auditor) at https://fixvirus.com/

It seems simple to me, but somehow this process of patching highly vulnerable systems is very difficult. And thus it takes time, which the hackers use to try and gain entry. Once the hackers have entry into your systems (evading defenses and taking information) it is a short time to a full fledged breach.

 

  1. https://www.theregister.co.uk/2017/09/14/missed_patch_caused_equifax_data_breach/
  2. https://www.rapid7.com/db/vulnerabilities/apache-struts-cve-2017-5638

Keep Up on Security News

It is good to keep up on the latest security news so that you can review what vulnerabilities are being created with new bugs.

Keeping up on the latest vulnerabilities allows you to keep the Risk analysis up to date (Risk = likelihood * impact). Because as new events happen, your risk profile changes.

We created Security News Analyzed page for this reason:

http://oversitesentry.com/security-news-reviewed/

 

We are looking for ways to make this methodology better and more efficient. So that one spends the least amount of time on reviewing the latest news as possible.

On the Security News Analyzed page we have collected 30 top security news websites which allow you to keep up on your technology in your company and homes.

 

We have redone this site many times, and are in the midst of redoing it again (keep an eye on it in the next couple of months:

Here are some older looks:

7/8/2016 discusses the vulnerability

 

At this point I was still reviewing many websites for inclusion  (06/2015)

Doing the Basics Would Have Saved You

A new Zero-Day attack is out available for attackers. this attack was discussed in the SANS website Internet Storm Center: https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/

SMBLoris – the new SMB flaw

The article was written from reviewing a Threatpost article, but was ultimately triggered because of the DEFCon 2017 presentation:

 

Notice the arrows on right with memory usage on a webserver going close to 100%.

What makes this attack (DOS – Denial Of Service) so bad is that it is easily disguised as ‘SlowLoris’ as sending partial HTTP requests to webservers (i.e. not fully connecting to the webserver). This partial connection essentially slows the webserver to a crawl when requesting enough connections.  And since this is a standard request, it is hard to distinguish friend from foe.

This is an interesting point from the archive.org webpage:

“Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site. So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.”

So this is not a simple easy to see issue. This issue abuses the way the webserver operates for the following 4 applications:

 

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer

slowloris is just one variant and as hackers review this attack…  variants may get created and thus exploit this in yet unknown ways. As of this posting there is no CERT classification yet.

What do I mean about the basics?  Well, if you have a webserver it should not have port 445 open to the public:

Google Port 445 definition:

Port 445 is a SMB port, or Structured Message Block which is used in NETBIOS protocols usually in file sharing applications. Well, one should not have a webserver with port 445 open and available on the Internet.

So, if you have done the basics, i.e. not run 445 or other ports that are unnecessary than this attack will likely not affect you or at least minimally affect you.  If you had to keep everything open, it might be time to run a firewall port limiter device in front of your website.  This is a fluid issue at this time, so keep an eye out for new attacks.. Contact Us to discuss.

 

Remember the hacker takes advantage of poor configurations.

Contact Us to discuss auditing your environment and review the basics in IT security.

 

 

 

What Worked In the Past May Not Work Soon

We are always enthralled with technology and how it changes the status quo, but we also need to be aware of tactics that use technology may need to get updated.

In 2017 we are obsessing over online sales and how the smart phone is changing our world.  Now there are grumblings over automated cars and quantum computers which will upend encryption technologies and how we defend our networks.

Do you remember this headline?

“SSL security is no longer PCI compliant”

The encryption technologies become obsolete once a method is developed by wily people to circumvent the technologies (in this case SSL)”

Yes, when quantum computing starts to crack our current ‘unbreakable’ encryption it will make us change how we try and secure data, but until then are we just worrying about nothing?

What about more effective Windows Kernel exploitation? Like in this BlackHat 2017 presentation:

The paper  shows that it is possible even with all of hte Windows10 mitigations built-in by Microsoft to bypass the kernel-mode read primitives. I.e. even the new Microsoft operating system is vulnerable to attacks.

I bring this topic up as we are not sure how the future will be, and thus we do  not know which part of our current life to change so as to ‘fix’ future problems.

Here is a very old “change decision” I am sure you know by now that the dutch had the land of what is currently called Manhatten (NY) and called it New Amsterdam (year of 1660 map below)

only 4 years after this map the city was called New York as the Dutch governor surrendered to an English expedition. The whole history is on this website: History.com. 

I am sure the Dutch going on the first expedition and creating the colony in 1626 did not think in just 34 years it will be English. Circumstances were such that the Dutch lost possession or thought it was in their interest to trade/give away what they painstakingly created.

Things change quickly, all those plans for many years and in a heartbeat all changed. Now over 300 years later we do not even remember the dutch in america (except for historians and quirky IT people).

So lets take it back to 2017… We need to plan contingencies for many different situations before they happen, otherwise events will overcome our actions and actions become reactionary and we are just trying to keep our heads above water. Or what we think is above water. What am I talking about in specific?

  1. Ransomware attacks
  2. Social media and email phishing employees of companies

Let’s keep it simple and try and devise strategies to defend against both 1 (ransomware) and 2 (phishing) attacks.

What can prevent a ransomware attack if attackers are constantly improving themselves and sometimes errors occur in your network? Maybe prevent is a bad word. Keep you in business are better words: A well designed backup strategy will make you survive all attacks even if they take your computers out. Or if a disaster occurs.

If you are a person in charge of your business what is the reasonable assumption of knowing 100% that your business will be alive next year no matter what?

Your business must have security procedures which have to include backup and recovery strategies.

Make sure that your IT department has the wherewithal to handle this new world by auditing it and receiving  reports for the future occurrences. Don’t be a standard business with no cybersecurity budget or have not backed up your files.

Since I am CISA Certified I can audit your network and computers to give you some peace of mind to.  Contact me to get peace of mind.  https://fixvirus.com/about-us-full-story/