Executive Summary – This month’s dominate tech news story had headlines warning us that “‘All Wi-Fi networks’ are vulnerable” . Security researcher Mathy Vanhoef of imec-DistriNet, discovered a vulnerability in the WPA2 standard that has been dubbed KRACK (Key Reinstallation Attacks) and according to the researcher “works against all modern protected Wi-Fi networks.” The attack is particularly devious in that it allows not only for things like “steal[ing] sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on” but also can allow the attacker to “inject ransomware or other malware into websites”. The paper goes on to say that “if your device supports Wi-Fi, it is most likely affected. ”
Also this month, using Shodan, a search engine for Internet-connected devices, we are able to see that 1,104,611 devices world wide are potentially still vulnerable to the Eternal Blue exploit used in the infamous WannaCry and Petya attacks. These numbers stress the need for companies and individuals to be installing operating system and software updates / patches in a timely manner, even with the best firewall, anti-virus, and monitoring solutions out there, a poorly patched system can leave a network highly vulnerable.
Microsoft – Microsoft released a total of 203 patches this month (though many of them share the same KB number and will present to the user as far fewer due to the new “Rollup” update process in place) with 82 of them rated with a max severity of “Critical”. This month, Microsoft unintentionally released a bugged update ( KB4041676 and KB4041691) that lead Server 2016 and Windows 10 machines to display the dreaded BSOD, causing headaches for sysadmins all over. The update was pulled from the catalog shortly after release and just serves as a shiny example as to why testing updates before deploying them to a large user base is always a good plan.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are categorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critcial, it’s important that the updates are installed.
Additional details are available Here and Here.
Adobe – Adobe released only 1 update this month (APSB17-32). The only Adobe product addressed in the updates was Adobe Flash Player with a Remote Code Execution vulnerability present in all operating systems. For those of you keeping track, based on Adobe’s announcement that the Flash EOL date will be “before the end of 2020”, that gives us at most, 1,169 days until it is finally gone. Someone should throw a big party 😀
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here and Here including links to download the update(s) and instructions for installation.
Java / Oracle – The latest update for Java is Version 8 Update 151, released on 17 October 2017.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – Offensive security can be a difficult concept for many traditional organizations to understand. In most cases, the concept of risk is a relatively easy concept to understand and doing things like having gates and locks for access control, locked file cabinets to secure sensitive records and cameras or security guards is commonplace. Identifying these vulnerabilities (unlocked doors, etc.) is relatively easy and the mitigation (lock the doors, etc.) is usually equally easy. They’re physical. When it comes to identifying vulnerabilities and threats in the digital world though and then quantifying the risk that that combination of threats and vulnerabilities pose to an organization, it’s not quite so easy. We can’t see or touch a SQL Injection vulnerability but, if an attacker finds one on our website and is able to use it to download PII or ePHI, it becomes very real. We can’t see a remote code execution vulnerability in the file server that was accidentally exposed to the Internet but, if an attacker spots it and uses it to encrypt all of our data, that too becomes very real. Recent events (WannaCry and Petya specifically) have helped to bring the importance of offensive security to light (and into the C-Suite) but there’s still a way to go.
Piratica is a risk management firm and we work with client organizations to help them identify and understand the risks to their organizations from cyber criminals.. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on our website, Facebook and Twitter or via our free weekly email newsletter (signup available on our website here).
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.