What’s New
- Welcome BlitzComputing – We are excited to announce the recent acquisition of Blitz Computing and welcome the Blitz Computing family into the Cyber Tech Cafe family. We’ve worked extensively with the leadership at Blitz Computing to make certain that the transition is transparent. We look forward to working with you as your new tech support company!
- Hacker Play Date v2.0 – The first Hacker PlayDate (HPD) ended up being a much bigger success than we expected and, as a result, we will be hosting the second Hacker PlayDate (HPDv2.0) on 12 September 2015. HPDv2.0 will be held in the meeting room at Primo’s Mexican Cocina (next door to Cyber Tech Cafe) so we won’t be quite as cramped. The format will be similar but we plan to have some additional booths (tables) setup for things like the lock-picking, Raspberry Pi, etc. (the lock picking table seemed to be a big hit at HPDv1.0). If you are interested or if you know someone else that would be interested in a demo (anything from lock picking to physical security to hacking a Raspberry Pi to setting up a network to building a gaming rig), let us know. We have a few demo’s / presentations scheduled so far but welcome more. More information is available on the new Hacker Playdate website here.
- New Content – You’ll notice a new content section below titled ‘Security News, Sponsored by Piratica’. As many of you may already know, Cyber Tech Cafe has partnered with Piratica, LLC to focus on security from an offensive perspective. In addition to the vendor specific updates from Microsoft, Adobe and Oracle (Java), we will now also be bringing you more generalized security updates from the industry at large.
- Windows 10 – Most of you have heard about, many have signed up for and some have installed Microsoft’s new version of Windows, Windows 10. We have been testing Windows 10 for several months now in preparation for the release and can support it but our position has not changed regarding new Windows releases. If you have a business or other *requirement* pushing you to upgrade, do so in a planned / controlled fashion and test, test, test before installing into a production environment. Our standard approach has always been to wait until the release of Service Pack 1 but Windows 10 is changing this a bit with it’s rolling updates approach. Windows 7 will still be supported until 14 January 2020 so, unless you *need* to upgrade to Windows 10 (your software / hardware vendors require it), we recommend sticking with Windows 7 until a specific need to upgrade arises for production environments.
Updates
Executive Summary – There are critical updates in Windows, Office, etc., Adobe (Flash) and Java this month. As of this email, there are no exploits available for any of the Microsoft vulnerabilities but it is unclear whether exploits for the Adobe vulnerabilities are currently being used (I am inclined to error on the side of caution and say that it’s very likely, given the Priority 1 / Critical nature of the updates). All of the critical updates address problems that can allow a remote attacker full access to affected computers. Users and administrators are encouraged to review the details of the patches and, if possible, patch immediately.
Microsoft – Again, Microsoft released 14 bulletins this month (MS15-079 through MS15-092, note that MS15-078 addressed the out-of-band Microsoft Font Driver vulnerability). Four of the bulletins are rated as critical by Microsoft and all 4 address vulnerabilities that could lead to remote code execution and have an exploitabilty index of 1 (note that MS15-091 is critical as well). The remaining 10 are rated by Microsoft as important and address vulnerabilities that could lead to remote code execution or elevation of privilege. Several of the updates will require a reboot to complete the update.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here and Here (SANS).
Adobe – There is a single update to Adobe Flash Player (APSB15-19) noted on the Adobe Security page as of this email. The update patches a critical vulnerability in Adobe Flash Player that could allow an attacker full control of a vulnerable system. It’s worth noting that, unless you *need* Adobe Flash Player or Adobe Shockwave player, it wouldn’t be a bad idea to simply uninstall them. Additional details on this are available from Adobe here.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation.
Java – The Java update to Java 8 update 51 is now available via the regular Java update page. This update addresses a critical vulnerability in Java 8 update 45. Also, it’s worth checking to make certain that you do not have any older (vulnerable) versions of Java installed on your computer. In Windows, you can check this by going to Add / Remove Programs and looking for older versions.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – Two of the most interesting things that I saw at DEFCON 23 were the Social Engineering Village and the Internet of Things Village. Social Engineering is basically ‘hacking the human’ and we see it all the time with things like phishing emails (Would you like to buy some Viagra?), fake support calls (Yes, this is Bob from Microsoft Support, would you let me remote into your computer to fix a problem that you did know you have?), etc. and, unless the Rules of Engagement prohibit it, it’s usually one of our go-to attacks on actual engagements because it works. Regardless of the acceptable use policies, OpSec / InfoSec training, stern warnings from well-intentioned IT departments, etc., social engineering just works and regardless of the technical safeguards (firewalls, access control, network segmentation, logging, IDS / IPS, etc.) deployed, we simply cannot secure our networks until we can secure the humans that use them. The Internet of Things is basically all of the Internet-connected ‘things’ that we see day to day like baby monitors, security cameras, thermostats, set-top boxes, etc. These things can deliver a lot of convenience but they do so by connecting to services on the Internet. If the thing and the connection are properly secured this isn’t a problem but, as we saw in the IoT Village, ‘properly secured’ was usually the exception and not the rule and unauthorized access to many of these things was pretty easy to get. Like the human clicking on the Viagra email or letting Bob with Microsoft Support get remote access to their computer, until we can secure these ‘things’ (or keep them off of the protected network altogether), we’re going to have a hard time securing everything else.
Piratica is an operational security company that works with client organizations to identify potential security vulnerabilities through vulnerability assessments, penetration tests and red / blue team exercises. Additional information is available on the website, Facebook and Twitter.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.