What’s New
- Hacker Play Date v2.0 – The first Hacker PlayDate (HPD) ended up being a much bigger success than we expected and, as a result, we will be hosting the second Hacker PlayDate (HPDv2.0) on 12 September 2015. HPDv2.0 will be held in the meeting room at Primo’s Mexican Cocina (next door to Cyber Tech Cafe) so we won’t be quite as cramped. The format will be similar but we plan to have some additional booths (tables) setup for things like the lock-picking, Raspberry Pi, etc. (the lock picking table seemed to be a big hit at HPDv1.0). If you are interested or if you know someone else that would be interested in a demo (anything from lock picking to physical security to hacking a Raspberry Pi to setting up a network to building a gaming rig), let us know. We have a few demo’s / presentations scheduled so far but welcome more. More information is available on the new Hacker Playdate website here.
- Windows 10 – Most of you have heard about, many have signed up for and some have installed Microsoft’s new version of Windows, Windows 10. We have been testing Windows 10 for several months now in preparation for the release and can support it but our position has not changed regarding new Windows releases. If you have a business or other *requirement* pushing you to upgrade, do so in a planned / controlled fashion and test, test, test before installing into a production environment. Our standard approach has always been to wait until the release of Service Pack 1 but Windows 10 is changing this a bit with it’s rolling updates approach. Windows 7 will still be supported until 14 January 2020 so, unless you *need* to upgrade to Windows 10 (your software / hardware vendors require it), we recommend sticking with Windows 7 until a specific need to upgrade arises for production environments.
Updates
Executive Summary – There are critical updates in Windows, Office, etc., Adobe (Shockwave) and Java this month. According to Microsoft and SANS, there are exploits available for at least one of the Microsoft vulnerabilities (MS15-097) but SANS has assigned an exploitability rating of 0 (very likely) to MS15-100 as well, though I haven’t been able to find exploit code for it yet. The Adobe Shockwave vulnerability is critical but, realistically, our recommendation is to simply remove Adobe Shockwave altogether if it’s an option. The Java update appears to be primarily cosmetic with some basic bugfixes.
Microsoft – Again, Microsoft released 11 bulletins this month (MS15-094 through MS15-105). Five of the bulletins are rated as critical by Microsoft and all 5 address vulnerabilities that could lead to remote code execution. SANS has six of the vulnerabilities listed as critical with exploitability ratings ranging from 3 all the way to 0. The remaining bulletins are rated by Microsoft as important and address vulnerabilities that range from Information Disclosure to Security Feature Bypass and Elevation of Privilege. Several of the updates will require a reboot to complete the update.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here and Here (SANS).
Adobe – There is a single update to Adobe Shockwave (APSB15-22) noted on the Adobe Security page as of this email. The update addresses a critical vulnerability in Adobe Shockwave that could allow an attacker full control of affected computers. SANS has a diary entry on the vulnerability here and notes that the vulnerability is already being actively exploited. Additional details on this are available from Adobe here.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation.
Java – The Java update to Java 8 update 60 is now available via the regular Java update page. This update seems to be primarily features and window dressing but the release notes do note some bugs that were squashed. Also, it’s worth checking to make certain that you do not have any older (vulnerable) versions of Java installed on your computer. In Windows, you can check this by going to Add / Remove Programs and looking for older versions.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – The InfoSec community is abuzz at the moment. The only things that seem to be more common than hearing about another large data breach is hearing about how ‘sophisticated’ the attacks leading to the breach were. The latest that I’ve seen is the recently publicized breach of Excellus BlueCross BlueShield in New York. According to the article, the breach actually happened in December of 2013 but was only realized in August of 2015 when Mandiant was brought in to test their systems. One thing that’s notable and, I believe noble, in this is that Excellus hired Mandiant after hearing about the Anthem breach to test their systems to make certain that they had not been breached as well. Unfortunately, they found that they had been, but it’s encouraging to see companies realizing the value of proactively testing their security infrastructure and incident response plans. Attackers and other threat actors often rely on network defenders and blue teams not being accustomed to or even familiar with modern tactics for attacking a network. Penetration testers and red teams force defenders and blue teams to adapt and evolve their tactics by simulating real-world attacks.
Piratica is an operational security company that works with client organizations to identify potential security vulnerabilities through vulnerability assessments, penetration tests and red / blue team exercises. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on the website, Facebook and Twitter.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.