OneLogin Reports Breach in Security

Subject: General Tech | June 2, 2017 - 01:50 AM |
Tagged: onelogin, security

If you use OneLogin to manage your passwords, then you will want to check your email, which I’m assuming is they way they’ll contact customers, and see if they have any advice. (Although, now that the attack is public, be careful of spoof emails.) The password management company was recently accessed by a malicious entity, and data was copied. OneLogin claims that they encrypt sensitive data, however they also state that it’s possible the intruder also gained access to the ability to decrypt it, but they also may not have.

onelogin-2017-devices.png

The attack occurred on their US-based Amazon Web Services (AWS) instance. Apparently, OneLogin noticed several servers being created without authorization, so they considered those API keys compromised and shut down the servers.

There’s not much else to report at the moment. Check out the OneLogin blog to see what they find out as they find it out.

Source: OneLogin

Samba Developers Release Patch For Remote Code Execution Vulnerability (CVE-2017-7494)

Subject: General Tech | May 28, 2017 - 07:10 PM |
Tagged: samba, linux, ransomware, security, networking

Last week, the development team behind Samba – popular software suite used on Linux and Unix clients and servers that uses TCP/IP protocol for file and print sharing to SMB/CIFS clients (including Microsoft Windows) – released a security advisory along with patches for a remote code execution hole that has been present in Samba for seven years since the release of Samba 3.5.0 in March 2010. The vulnerability, classified under CVE-2017-7494, allows an attacker to upload malicious code to a Samba server and get the server to run the code by sending a malformed IPC request that references the local file path. The Samba server will run the code in the malicious shared library (.so) file even though it is from an untrusted remote source.

Samba logo.jpg

The bad news is that this is a fairly serious flaw that could lead to an attacker successfully holding a business or home user’s files (including backups!) at ransom, stealing data, or using the now owned file server to attack other network resources that trust the file server. If not securely configured (e.g. allowing anonymous writes), the attack could even be wormable which would allow it to self-replicate across the network or Internet. Further, while various security firms have slightly different numbers, they all seem to agree that around 100,000 Internet-accessible machines are running vulnerable versions of Samba.

It is not all bad news though, and in some respects this vulnerability is not as big of an issue as the WannaCry ransomware and EternalBlue SMB vulnerability because in order to successfully exploit the Samba flaw an attacker needs to obtain credentials to upload the malicious code to the file share(s) which need to be writeable in the first place and not running as noexec under a SELinux policy. Also, attackers need to know or guess the local path name of the files on the file share to send the malformed IPC request. More importantly, the Samba team released three security releases (4.6.4, 4.5.10, and 4.4.14) for the newer branches and is working with OS distributions on providing patches for older Samba versions. For systems that cannot be updated or patched, there is also a workaround that can be implemented by modifying the global Samba config file to contain the setting “nt pipe support = no”. While this will break some expected Windows functionality (mainly machines will not be able to access null shares and will need to use the specific share path rather than just the server path), it will make it so that Samba will not accept the malicious requests.

Perhaps the most worrying aspect of this vulnerability is that security researchers estimate that up to 90% of the vulnerable Internet-connected Samba endpoints do not have a direct patch or update available yet and may not ever get one. While the enterprise hardware and even bigger consumer and SMB hardware providers will provide support for this in the form of patches or firmware updates, there is a sea of home routers, NAS boxes, file and print servers, and IoT devices running on home networks that are not open to user updates and may not ever get firmware updates. The best thing to do in this scenario according to the security advisory (if you can’t just not use it or replace it with different hardware that can be patched or isn’t affected of course) is to not expose it to the Internet. There would still be a risk of it being exploited should someone get a virus on a client machine through email, malicious downloads, or social engineering though. Considering these home NAS devices are usually used as destinations for backups, the risk of ransomware not only infecting client machines but also the main file share and network backups is scary. I have always been a fan of offline and/or cloud backups and in these modern times they are more important than ever with the rise of ransomware and other profit motivated viruses.

If you are not sure if your network is affected, there are tools being made available (including a Metasploit module, nmap scripts, and Internet scans) to help you determine that and reduce your attack surface using that information by updating to the latest security release, applying patches, updating, using SELinux policies to prevent the server from executing files itself, and preventing them from communicating with the Internet in order of effectiveness.

All that is to say don’t panic, stay vigilant, and make sure your important data is properly backed up and secured as much as possible!

Source: Samba.org

Pot, meet kettle. Is it worse to hoard exploits or patches?

Subject: General Tech | May 16, 2017 - 01:27 PM |
Tagged: security, microsoft

Microsoft and the NSA have each been blaming the other for the ability of WannaCrypt to utilize a vulnerability in SMBv1 to spread.  Microsoft considers the NSA's decision not to share the vulnerabilities which their Eternalblue tool utilizes with Microsoft and various other security companies to be the cause of this particular outbreak.  Conversely, the fact is that while Microsoft developed patches to address this vulnerability for versions of Windows including WinXP, Server 2003, and Windows 8 RT back in March, they did not release the patches for legacy OSes until the outbreak was well underway. 

Perhaps the most compelling proof of blame is the number of systems which should not have been vulnerable but were hit due to the fact that the available patches were never installed. 

These three problems, the NSA wanting to hoard vulnerabilities so they can exploit them for espionage, Microsoft ending support of older products because they are a business and do not find it profitable to support products a decade or more after release and users not taking advantage of available updates have left us in the pickle we find ourselves in this week.  On the plus side this outbreak does have people patching, so we have that going for us.

fingerpointing.jpg

"Speaking of hoarding, though, it's emerged Microsoft was itself stockpiling software – critical security patches for months."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Patch that HP laptop ASAP

Subject: General Tech | May 12, 2017 - 02:05 PM |
Tagged: hp, keylogger, security

The poorly thought out feature HP added to their audio driver in some past models of laptops can now be removed. The previous driver listened for a certain key to be depressed actually recorded all keystrokes made by the user and stored the information in plain text under the Public profile.  The file was deleted each time the computer restarted but could still exist in backups, you should check for MicTray.log in those backups.  Slashdot reported this morning that HP has released a fixed driver which you should grab from Windows Update or HP.com immediately.

h_z507OY.jpg

"HP says it has a fix for a flaw that caused a number of its PC models to keep a log of each keystroke a customer was entering. The issue, caused by problematic code in an audio driver, affected PC models from 2015 and 2016."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Crazy, I'm crazy for feeling so buggy ... then Microsoft called it off

Subject: General Tech | May 9, 2017 - 12:43 PM |
Tagged: security essentials, security, microsoft, fud, endpoint, defender

You have probably already read about the bug which effects all Microsoft's security programs, from basic home apps like Defender through to professional level Forefront Security for SharePoint discovered by Google Project Zero researchers.  It was certainly a bad one, utilizing the act of scanning a file for malware as the infection vector, striking similar to the way some viruses hijack our own immune systems. 

The good news is that Microsoft started pushing out a fix for the bug on Monday; as the bug was hinted at publicly on Friday someone must have put in a long weekend.  This quick turnaround is very nice to see and demonstrates the usefulness of publicly announcing the existence of a threat, without revealing the details to the public immediately.  Bug bounty programs are a good thing but if they involve NDAs it can lead to delays in resolutions as there is little pressure on the software developers to push out an immediate fix.  As The Register states, responsibly disclosing the existence of a bug, especially a major one such as this, you get a quick turn around like we saw from Microsoft. 

Update if you got 'em!

8867.Microsoft_5F00_Logo_2D00_for_2D00_screen.jpg

"On the second point, well, we hate to break it to you but all software has bugs – especially Microsoft's code. There are any number of horrible remote code execution flaws in Windows and Office right now, sitting there waiting for white and black hats to find and exploit. Being told, yes, there is definitely a bad bug lurking in among the ones and zeroes doesn't make you less secure."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Google doesn't seem to mind SilverPush and your phones surreptitious addiction to advertisments

Subject: General Tech | May 5, 2017 - 01:29 PM |
Tagged: fud, silverpush, security

In 2015 we learned enough about SilverPush to worry security wonks about its ability to track your phone without your knowledge.  Several hundred apps available on the Google Play store have SilverPush and do not inform users that the apps utilize that software to track your whereabouts without your knowledge which would seem to be in direct contravention of Google's stated requirements.  That is more upsetting than the actual tracking.

SilverPush laden apps listen for tones broadcast at 18kHz to 20kHz which is inaudible to the vast majority of humanity.  When they receive that tone the app which has SilverPush sends out a signal which can be used to locate you, to track your progress through a store or to verify that you are watching a particular advertisement.  The creators of the software stopped development back in 2015 and have found this revelation rather confusing according to Ars Technica.

index.png

"Almost a year after app developer SilverPush vowed to kill its privacy-threatening software that used inaudible sound embedded into TV commercials to covertly track phone users, the technology is more popular than ever, with more than 200 Android apps that have been downloaded millions of times from the official Google Play market, according to a recently published research paper."

Here is some more Tech News from around the web:

Tech Talk

Source: Ars Technica

Microsoft won't teach an old, or possibly deceased dog new tricks

Subject: General Tech | March 31, 2017 - 12:45 PM |
Tagged: microsoft, server 2003, security

Microsoft is once again putting sales ahead of customer security, although it is for a 10 to 14 year old operating system which they officially pulled the plug on almost two years ago.  Sadly the end of support did not have any impact on the infrastructure budget allocations of tens of thousands of businesses and so Server 2003 remained in use.  Security researchers spotted an attack last year which exploits a vulnerability in IIS WebDAV which will allow a buffer overflow attack to succeed.  Predictably Microsoft's answer is that you should buy a brand new server OS, with hardware upgrade costs likely to be required as well.  Thankfully there is a patch available from a third party, which you can check out over at The Register

It is a dream, but perhaps this might convince some bean counters that an infrastructure upgrade might be a reasonable investment.

Penny-pinch.jpg

"Microsoft will not patch a critical security hole recently found and exploited in IIS 6 on Windows Server 2003 R2 – the operating system it stopped supporting roughly two years ago."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Enable Flash for a $5 FedEx coupon?

Subject: General Tech | March 27, 2017 - 12:40 PM |
Tagged: security, flash, fedex, coupon

FedEx seems to be indicating they are not quite ready for Adobe Flash to go away, by offering certain customers a $5.00 coupon to enable it.  This was likely triggered by the mass migration of browsers from Adobe's much beleaguered media program; Chrome only loads Flash content after user intervention and both Edge and Firefox will soon discontinue support as well.  The offer is for FedEx Office Print customers but you can certainly take a peek yourself if you want to try it, though The Register cautions against abusing it lest we all lose the benefit.  There is a link to download Flash on FedEx's website but if you do decide to update or install Flash we would suggest you head straight to Adobe to get it.

FedEx.jpg

"The offer's being made to users of FedEx Office Print, the custom printing tentacle of the transport company. FedEx Office Print lets customers design posters, signs, manuals, banners and even promotional magnets."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

That's not ominous; so called crimeware installed in 10 industrial plants

Subject: General Tech | March 23, 2017 - 12:43 PM |
Tagged: security, siemens, crimeware

This story at The Register raises more than a few concerns, the first of which being that Dragos, the industrial cybersecurity firm which detected the infection called it crimeware.  This is a lovely term for the media to try to explain why computer security is important but carries little valuable information for those wondering exactly this breach entails.  We are all well aware that malware and viruses are used for criminal purposes; not for the benefit of the users who get infected.

It gets better, the infected code was first detected in 2013 and was flagged a false positive.  This infected software has been installed on the Siemens programmable logic controllers of at least 10 industrial plants and in some cases for at least four years.  The insecurity of Internet of Big Things is much scarier than the issues with the IoT, a hacked camera can ruin a person or families day, a hacked power grid has ruined the day of entire countries.

"The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we're told. At least 10 industrial plants – seven in the US – were found running the infected software, a study by industrial cybersecurity firm Dragos claims."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Industrial strength hacking

Subject: General Tech | March 16, 2017 - 12:51 PM |
Tagged: iot, scary, scada, security, ics

The Register posted a cheerful article today, discussing the security of the other Internet of Things, which they have dubbed the Internet of Big Things.  Botnets formed out of compromised toasters, refrigerators and webcams is one thing; taking over power stations and industrial equipment is quite another.  Citizens of the Ukraine know the dangers all too well, having had their power grid taken offline once in 2015 and again more recently by nefarious means.  Take a read through to learn about how vulnerabilities in systems such as the Industrial Control System and Supervisory Control and Data Acquisition could be used to cause significant harm, as well as a search engine reassuringly named Shodan. 

SHODAN.jpg

"The Internet of Big Things exists because it makes perfect sense to have accessibility to equipment from afar. Industrial systems are complex, specialist items and for many such systems it’s common for there to be only a handful of qualified maintenance staff in the country, continent or world."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register