Executive Summary
Happy New Year and New Decade and Welcome to 2020. Below is a quick summary of the highlights so far and I’ve included additional details on each below:
- Crypto Spoofing Vulnerability affecting all Windows versions. The NSA disclosed a vulnerability in all versions (there’s a BBC article that notes that Windows Server versions prior to Server 2016 may not be impacted) that could allow an attacker to digitally sign malware (or anything) to fool users and their computers into executing malicious programs. The patch is included in the January updates and should be applied as soon as possible.
- Windows 7 and Windows Server 2008 are officially retired and are no longer supported. If you have any of these devices still on your network, removing or replacing them should be a top priority.
- Two BlueKeep vulnerabilities affecting Windows computers with Remote Desktop services exposed. If you have Remote Desktop services available to the Internet, this effects you. If at all possible, access to Remote Desktop should be limited to internal or VPN connections only.
- We are excited to announce that we will be making some significant changes to our MyIT program over the first quarter of this year that we believe will make it even more valuable to our MyIT clients. Some highlights are below and we’ll be elaborating more in coming months:
- We are extending regular business hours for MyIT customers, offering business hours support at 8:00am rather than 9:00am ET.
- We are upgrading our network and systems monitoring infrastructure to be able to alert
- Unattended remote support is now exclusively available to MyIT clients.
- DC770 – Cyber Tech Cafe is a proud supporter and co-sponsor of the DC770 DEF CON group that meets monthly at 7:00pm ET at Jefferson’s restaurant in Cartersville on the first Tuesday of each month. More information is available at https://dc770.org .
Update Info
Microsoft
Probably the biggest thing out of the Microsoft camp this month is the end of life for several of it’s flagship products including Windows 7 and Windows Server 2008. If you still have either of these products in your organization, especially if you have any kind of regulatory compliance requirements like PCI, HIPAA, GLBA, etc., getting these systems upgraded or replaced should be near the top of your priority list.
Tied for the biggest thing out of Redmond are three significant vulnerabilities, one in the cryptographic subsystem in all Windows versions (a BBC article notes that the only Windows Server versions effected are Server 2016 and Server 2019, leaving Server 2012 as potentially immune) and two in the Remote Desktop components. The crypto vulnerability is very significant in that it can allow an attacker to spoof valid code signing certificates to make malware look benign or make malicious man-in-the-middle hosts look legitimate, among a host of other things. One interesting bit of trivia is that this vulnerability was disclosed by the NSA. The Remote Desktop services are (still?) vulnerable to BlueKeep and can allow remote attackers to get remote code execution on exposed, vulnerable servers.
In all, Microsoft released updates for 50 vulnerabilities this month. Eight of those were rated [by Microsoft] as critical and both SANS and Microsoft and can be exploited without any user interaction. All of the critical vulnerabilities are remote code execution (RCE) vulnerabilities.
Additional details on Windows Updates are available from Microsoft, the Patch Tuesday Dashboard, Krebs on Security Threatpost and the SANS Internet Storm Center.
Adobe
Adobe patched nine vulnerabilities this month, including five critical vulnerabilities effecting Adobe Illustrator CC. The additional patches were for a number of products including the Experience Manager, Cold Fusion, Brackets, Photoshop CC and Adobe Acrobat and Adobe Reader.
Like Microsoft, Adobe (for the most part) now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation.
Since Oracle stopped providing free updates to it’s Oracle Java product for commercial customers back in January 2019, we’ve really not covered a lot of Oracle news. The announcement from Oracle that it’s quarterly update this quarter patched more than 300 bugs, tying it’s previous all-time-high (in July of last year), seemed like as good a reason as any to mention them this month though. Threatpost has a really good write-up on the updates here.
Security News
Organizations in the small to medium business space often make two critical mistakes when it comes to security; they underestimate their need and overestimate their readiness. The result is a vulnerable attack surface that’s poorly defended. Two examples that we’ve seen recently are organizations who don’t have a VPN and use Remote Desktop Protocol (RDP) for remote access into their network or organizations try to use a ‘silver bullet’ approach to shortcut good security. For the RDP vulnerability, attackers are often able to successfully guess the credentials to gain access, brute force a set of credentials and break in or just find unpatched vulnerabilities that allow them to bypass logging in altogether (the BlueKeep vulnerability is a recent example). In the case of a ‘silver bullet’ type approach, organizations try to avoid security by invulnerable systems (there’s long been a myth that Apple / Mac systems are invulnerable to attack) or by just applying a single layer of protection (like antivirus). A recently discovered virus affecting Apple / Mac systems highlights the facts that a) they aren’t invulnerable, b) antivirus isn’t a silver bullet and that c) the bad guys don’t have to find a vulnerability in your technology (a more detailed write-up is available here). If your organization accepts credit cards and is not currently conducting the required quarterly wireless and vulnerability scans or annual penetration tests and would like more information, you can contact us here.
Piratica is a risk management firm. We work with client organizations to help them identify and understand the risks to their organizations so that those metrics can be incorporated into the organizations overall security strategy. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on our website, Facebook and Twitter or via our free email newsletter (signup available on our website here).
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are available in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.