Category: Security Alerts


Folks are wondering if the gov’t cannot secure our data who can?  Frankly the gov’t in terms of security has always been horrid.  I have done contract work for the gov’t more than once and the level of network security outside of the military is atrocious.

 

But none can hold a candle to the breach the U.S. government announced last week. Not even close. On a scale of one to 10, with one being the loss of credit card numbers and names, this data loss event would conservatively be a 15.Most people aren’t aware of exactly what type of information the federal government collects on its employees, especially those with security clearances. We all have some idea that government employees have relatively strict reporting requirements for financial information, and we know that federal workers with higher clearances undergo thorough background checks and must submit to interviews of both themselves and their family and friends. This is done to flag potential problems and to prevent outside agents from having undue influence over people who may have access to sensitive information and materials.Put simply, if you have a security clearance, the government would like to know if you have a drug problem or if you are in serious debt, because a foreign interest may try to use that situation as leverage to coerce you into revealing sensitive information. In the interest of national security, these safeguards make sense.But the true nature and scope of the information required by the government and subsequently collected by the government on an employee is massive. Take a look at Standard Form 86. This is a 127-page form that usually takes a week or more to complete and requires the entry of the applicant’s Social Security number on each page. The data included on this form is not just enough for identity theft, but enough to allow a person to literally become another person. Each Standard Form 86 fully documents the life of the subject. The only thing missing is the name of your first crush, though that might be in there somewhere too.Some 18 million people had this level of personal data — and more, including data collected by observers — lost to foreign agents last week. If the government collected this data to know if an employee was vulnerable to undue outside influence, then it just succeeded in closing that loop itself, having now released it into the wild. All of those vulnerabilities are now known and available for exploit to whomever stole the data, or to whomever they wish to sell that data. This is very, very bad.I should also mention that many of those whose personal information was swept up in this data loss event were never even government employees in the first place. They may have filled out the forms and submitted applications, but they were never hired or they declined the job. This includes prospective TSA agents right on up through CIA employees — the higher the position, the higher the clearance, the more sensitive the data that was collected and lost. Information on these peoples’ infidelities, sexual fetishes, mental illnesses, criminal activities, debts, and other highly personal information is now in the hands of cyber-attackers. This is damage that cannot be undone or mitigated. We can change credit card numbers and refund fraudulent charges, but we can’t change any of the personal data and intimate details of these people’s lives. That’s a permanent loss.

Source: The most dangerous data breach ever known | InfoWorld

I have never run Windows 8 and I often cite the horrid interface as the main reason.  There’s another reason as well.  The forced integration with Live.com leads to severe security issues as noted in this article.  I do not know if this forced integration is present inside Windows 10 as well.  I am researching this now.

 

How Best Buy’s computer-wiping error turned me into an amateur blackhat | Ars Technica

There you go. The latest Windows operating system, and it was compromised by a Web search and some open source software. The whole process took me a few hours. I can only imagine how fast a seasoned hacker could do it. Also, I didn’t change anything about the computer’s hard drive. The default Windows security has improved over the years, but so have the tools to get around it. There are settings that can protect against this type of attack, but those aren’t the default settings.Connected worldI logged in as David and the computer looked like I expected it to—default. I’d already perused through the files, so I knew there wasn’t much to be found there.What I didn’t know was what I’d find online. David’s password didn’t just get me into this computer. It was also his Hotmail and Windows Live passwords. I was now logged in as David on a computer that the world still thought was his.I debated whether I should take my research one step further and log into a website. But I didn’t want to invade David’s privacy any more than I already had—even though I hadn’t gotten much. Up to now, I’d been accessing data on a computer I purchased that was supposedly wiped clean and like new. But going online? That felt a bit too far.For example, if he had logged in to social media sites, a less moral-conscious hacker could do some embarrassing things or some social engineering. Imagine if he’d logged into Amazon or his bank and the financial damage that could have resulted. They would also have access to David’s Windows Live account profile, purchase history, Xbox Live account, OneDrive, and other Microsoft services. And don’t forget that they could also see his Internet history and visit all the sites whose passwords are saved in the browser.I did make one mistake. This was my first time using Windows 8 with a touch screen, and I accidentally launched the Mail app, which automatically logged me in to David’s Outlook mailbox. This is the brass ring for a would-be thief, giving the thief the ability to search which sites David had accounts for. Most people use the same passwords over and over, so that would give a thief a leg up. And if the password didn’t work, the hacker could simply use the forgot password link on the site and it would send an e-mail to—you guessed it—the Outlook e-mail.A thief would have immediately changed David’s e-mail password. Luckily, I’m not a thief, so I quickly exited the app and silently apologized to David.

Source: How Best Buy’s computer-wiping error turned me into an amateur blackhat | Ars Technica

The results from the survey showed that smaller companies are only about half as likely as larger firms to test their own data security, to hire new data security staff or to require data security training for employees.“This is not just the U.S.,” Graham added.  “In fact, 85 percent of companies around the world say they have been hacked.”And that number could be even higher, since many victims don’t even know that they have been breached.

Source: Forget the giants, small biz even more vulnerable to hacking – WTOP

The online attack service launched late last year by the same criminals who knocked Sony and Microsoft’s gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers, KrebsOnSecurity.com has discovered.  Just days after the attacks on Sony and Microsoft, a group of young hoodlums calling themselves the Lizard Squad took responsibility for the attack and announced the whole thing was merely an elaborate commercial for their new “booter” or “stresser” site — a service designed to help paying customers knock virtually any site or person offline for hours or days at a time. As it turns out, that service draws on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords.

via Lizard Stresser Runs on Hacked Home Routers — Krebs on Security.

If you router is vulnerable to this outsiders can easily take control of hte router and use it to jump into your network.  These devices have been coming under increasingly attacks due to their poor security models and the lack of security updates by the route manufacturers.  I’ve begun recommending not using these types of routers anymore due to the numerous security problems they are introducing.  Sophos UTM is free for home use…you jsut need to provide suitable hardware.  Sophos UTM is at a reasonable cost for businesses and NPO’s and gives you true protection from the internet.  For full information Contact ETC.

 

More than 12 million routers in homes and small offices are vulnerable to attacks that allow hackers anywhere in the world to monitor user traffic and take administrative control over the devices, researchers said.The vulnerability resides in “RomPager” software, embedded into the residential gateway devices, made by a company known as AllegroSoft. Versions of RomPager prior to 4.34 contain a critical bug that allows attackers to send simple HTTP cookie files that corrupt device memory and hand over administrative control. Attackers can use that control to read plaintext traffic traveling over the device and possibly take other actions, including changing sensitive DNS settings and monitoring or controling Web cams, computers, or other connected devices. Researchers from Check Point’s malware and vulnerability group have dubbed the bug Misfortune Cookie, because it allows hackers to determine the “fortune” of an HTTP request by manipulating cookies. They wrote:If your gateway device is vulnerable, then any device connected to your network—including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network—may have increased risk of compromise. An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast.

via 12 million home and business routers vulnerable to critical hijacking hack | Ars Technica.

I am not trying to spread the “stranger danger” fear-mongering here.  If you are a parent, grandparent or any other kind of close relative please read the linked article at the bottom of this post.  I have been following this since it began.  More details are becoming known.  I’m not doing the blame the victim game here but unsafe online behavior contributed to this crime.  Parents PLEASE know what your children are doing.

In my experience this is usually the cause of mis-communication or a lack of communication.  Technology is part of the solution but a good parental relationship will do better than any technology.

I was recently at the Brunswick Business Expo and I was disseminating the following documents:

1.  This is a set of tips for adults in regards to online safety

2. This is a set of  steps for youth in regards to online safety.

3.  This is a “contract” between your youth and yourselves.  This provides a framework for communications between the adults and the youth for proper online behavior.  It also provides the foundation for a clear set of expectations from both sides of the conversation.

I am not saying this is the end all be all but I hope you find it useful.  There are technological things that can be done to aid caregivers in supervision of their youth.  If you have any questions contact us.

On November 10, a 12-year-old girl left her home in the Baltimore suburb of Nottingham at 7:30am, heading to her middle school. She never returned home. When her mother called the school later, she discovered that her daughter had not even arrived. Suddenly, Baltimore County Police were calling in the FBI to assist in their search for a missing person.

According to police reports, “an unfamiliar blue pick-up truck with North Carolina license plates” was spotted by neighbors near Jane Doe’s home that morning. (While the girl’s name was previously published in Baltimore local media, we’ll refer to her by the name used in recent court documents—Jane Doe—because of her age and because of the nature of the crime allegedly committed against her.) Over the next four days, the investigation of Jane Doe’s disappearance led to a ranch house on a cul-de-sac 340 miles away in Raleigh, North Carolina. That’s where North Carolina Alcohol Law Enforcement agents working under the direction of the FBI eventually found the kidnapped girl—along with a 32-year-old probationer named Victor Yanez Arroyo.

The girl is now back with her family, but according to arrest documents, Jane Doe told authorities that “at the residence, Arroyo had non-consensual sex with her two times.” Arroyo was arrested and now faces a wave of state and federal charges.

Luckily, the FBI and other law enforcement agencies had Doe’s real name and several aspects of her digital identity to work with, including her Xbox Live gamer tag, her Apple iCloud account, and her social media chat accounts. All of these digital identities played a role in the forensics work used to track down Jane Doe’s abductor.

But they also played a major role in her abduction.

via 12-year-old’s online life brings an abductor to her doorstep | Ars Technica.

Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.

The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.

While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and server versions of Windows alike, an indication the remote-code bug may also threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.

“If they install software that listens on port, then that machine would be vulnerable,” he said. An example would be “if they run Windows 7 but install an FTP server on it that accepts connections from outside, or a Web server on a client.”

Tuesday’s disclosure means that every major TLS stack—including Apple SecureTransport , GNUTLS, OpenSSL, NSS, and now Microsoft SChannel—has had a severe vulnerability this year. In some cases, the flaws merely allowed attackers to bypass encryption protections, while others—most notably the Heartbleed bug in OpenSSL and the one patched Tuesday in Windows, allowed adversaries to steal highly sensitive data and execute malicious code on vulnerable systems respectively.

Microsoft’s advisory said there are no mitigating factors and no workarounds for the bug. A separate exploitation index assessed real-world attacks as “likely” for both newer and older Windows releases. The advisory said there is no evidence pointing to in-the-wild exploits against Windows users at the time it was drafted. MS14-066 was one of 16 updates Microsoft scheduled for this month’s Patch Tuesday batch. They include a fix for a zero-day vulnerability already under attack in highly targeted espionage attacks.

It took less than 12 hours after the disclosure of the catastrophic Heartbleed bug for it to be turned against Yahoo and other sites. Anyone who uses a Windows computer—especially if it runs a Web or e-mail server—should ensure Tuesday’s update is installed immediately.

via Potentially catastrophic bug bites all versions of Windows. Patch now | Ars Technica.

I don’t always agree with Steve Gibson.  On this particular attack the one thing that makes this a non-issue is that you have to have active malicious code running in the browser.  Once your machine is compromised in any way you aren’t secure, it is really that simple.  You can listen to Steve talk about this and get a text transcription on the Security Now episode page.

Really this is only a problem is you are surfing on a public wifi point then somebody can intercept your traffic..cause an error in your secure communications and then insert themselves into your data stream.  Keep in mind ssl v3 is nearly 15 years old and has been replaced by TLS.  Really the only folks who use this..are IE6.  All modern browsers are going to fully kill ssl 3.0 support in upcoming updates…which is about time.  Really you are not in danger from this unless your are doing browser on public wifi AND using an ancient browser.  Once ssl v3 finally dies some websites may break temporarily and some browsers will break(IE6).  This isn’t nearly that dangerous as other vulnerabilities that have come up lately.  A full analysis is available here.  If you have any questions contact us.

There is an active exploitation of a security flaw in all versions of Microsoft Word right now.  The various online media have been saying this is a targeted attack but i’m seeing general infestations with this security issue.  If your machines aren’t updated you first need to get all of your gear updated and then there is a patch available to repair the Word problem.  Keep in mind this issue is capable and has bypassed several anti-malware packages:  Norton, Microsoft security essentials, AVG are the ones I’ve seen bypassed.  I’ve not had any clients behind Sophos utm products infected yet.  it is not known if Office 2003 and older will get updated as they have officially gone out of support and aren’t being updated on a regular basis.  If you are running office 2003 or lower you need to upgrade now.  Either install Libreoffice or Contact ETC Maryland for assistance.  if you install Libreoffice you also must uninstall Microsoft Office or you aren’t protected.

This issue is called a Zero day exploit which means the flaw wasn’t found by the “good guys” before it was actively being used by various attackers.  I’ve had 3 machines come in within days of each other infected with malware that used this exploit.  The fix is available online or you can call ETC so I can get your security updated and get you protected against this latest threat.  Here is the Microsoft security bulletin and the automated fixit is here.  You have to manually run this file on every affected machine.  This only protects against the latest exploit.  If you have not kept current on the other windows updates you are open to other issues that this fixit won’t protect you against.  A more comprehensive fix it being worked on but until it is available this fixit is the best solution that ETC Maryland is able to recommend.