“Do you know the way to San Jose?”

Another cyberattack targets the San Fran Transport Agency.

san fran

Normally the 181 Express to San Jose will cost you about $10 and take about 1 hour and 42 mins. But this weekend you could travel for free, thanks to another demonstration of cybercrime—this one reconfirming the dangers of ransomware and its potentially devastating effects when used against public service networks.

In this case, screens that would normally show train departure and arrival times displayed a message informing users they had been hacked, and that MUNI, San Francisco’s Municipal Transportation Agency, had one more day to pay the bitcoin ransom equivalent to $73K.

While it’s not yet known who’s responsible for the attack, nor exactly how they did it, numerous reports suggest the hacker used the email address previously linked to the Mamba ransomware strain first seen in September 2016.

mamba

A screen at a Muni train station shows the malware message from HDDCryptor. (Click for image source.)

Assuming this attack is linked or similar to Mamba, it’s worth looking at in a little more detail.

Mamba, named after the deadly snake, takes a different approach to encrypting files than other ransomware strains by trying to encrypt the entire drive—not just your data files. This means it’s not just your files but the whole OS, including the master file table, that could get encrypted.

Mamba uses the freeware DiskCryptor software to encrypt your files. It’s highly likely that unaware users are clicking on targeted emails, which download both scripts and the tools to encrypt the drive.

This type of ransomware is perfect for an attack on an organization like MUNI. Why? Unlike other attacks we have seen (like in healthcare), where the encrypted data and personal files are worth big money on the black market, knocking operating systems out at a public transportation agency brings operations to a screaming halt, causing service disruption, revenue loss, and a ransomware fine well worth paying. And what commuters don’t think about while they are enjoying a free ride is that the lost revenue and ransom costs are more than likely going to be recouped through increased commuter costs.

So, in the long run, everyone but the hacker loses out in the aftermath of an attack. That’s why organizations must do more to prevent attacks rather than simply detecting them.

Wherever you are in the world, you probably have organizations, governments, and security authorities providing recommendations on how to protect your organization from threats like Mamba. The FBI, the Australian Signals Directorate, the UK’s National Technical Authority for Information Assurance (CESG), and the SANS institute are just some examples.

These experts all agree that to protect against attack you should:

  • Patch the OS
  • Patch apps (not just Microsoft ones)
  • Remove local administrative privileges from the desktop estate
  • Implement application control or whitelisting to allow only the known good

Shavlik offers a solution that addresses all four of these prevention approaches: Shavlik Patch patches the OS and third-party applications, and Application Manager for SCCM removes local administrative privileges and application control.

Latest Updates for macOS Sierra and more…

Early last week Apple released update 10.12.1 for macOS Sierra, Security Update 2016-002 for El Capitan, and Security Update 2016-006 for Yosemite.  Updates were also released for 10.0.1 Safari and 10.1.1 for iOS. These updates were released just in time for an Apple hosted Mac-centric product event.

With update 10.12.1 for macOS Sierra being the first update available to Sierra since it was released, there are a number of fixes included for some of the most pressing issues identified in this latest operating system. Here are some of the fixes that are available with the 10.12.1 macOS Sierra:

  • An automatic smart album in Photos for Depth Effect images taken on iPhone 7 Plus
  • Improved compatibility between Microsoft Office and iCloud Desktop and Documents
  • Improved security and stability in Safari
  • Improved reliability of Auto Unlock with Apple Watch
  • Fixed issue where mail was prevented from updating when using a Microsoft Exchange account
  • Fixed issue where text was sometimes pasted incorrectly when using Universal Clipboard

macOS Sierra/El Capitan/Yosemite

macOS Sierra 10.12.1 includes fixes for 14 vulnerabilities, 2016-002 El Capitan includes fixes for 8 and 2016-006 Yosemite includes fixes for 5.

Many of the vulnerabilities relate to escalation of privilege, arbitrary code execution, information disclosure. Some of the more interesting vulnerabilities include:

  • CVE-2016-4661: An application may be able to cause a denial of service.
  • CVE-2016-4675: a libxpc component vulnerability where a local application may be able to execute arbitrary code with root privileges.
  • CVE-2016-4669: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel.

These examples are noteworthy because they are often used as the starting point to exploiting a system through social engineering. Once the hacker has access, the other vulnerabilities may be useful to gain additional access or information.

Safari 10.0.1

This update includes fixes for 4 vulnerabilities, all of which address the issue where processing malicious web content may lead to arbitrary code execution.  Since these vulnerabilities have to do with users visiting bad websites or web ads which may result in running malware, this update should be applied on all systems.

iOS 10.1.1

This update includes fixes for 17 vulnerabilities, one of which was just added today. These vulnerabilities span issues from arbitrary code execution to the leaking of sensitive user information.

Summary

It is highly likely that additional fixes will be added to the iOS update in the upcoming days. You can also expect to see a macOS Sierra 10.12.2 update released to the general user base real soon since the macOS Sierra 10.12.2 update is already in beta.

Windows 7 and 8.1 servicing changes!?!?

Keep-Calm-and-Carry-OnI have had this question come at me from a dozen directions today, so I thought I would provide my thoughts on these changes in a more consumable and easily shared format.

First off, lets summarize the changes. Microsoft has announced that it is changing the servicing model for Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.  There will be a monthly roll-up similar to Windows 10 where all security and non-security updates will be bundled in a single cumulative update.  This means that starting in October the OS and IE updates will consolidate from several individual updates into a single cumulative bundle.  Come November the next cumulative will include the October updates as well and so on.

Microsoft is also going to provide a security only bundle for each month which is a little different.  The security bundle will allow enterprises to download only the security updates, but it will still be a single package with all security updates for that month bundled together in a single package.

.Net Framework will have a separate monthly roll-up and security only option that will update only existing versions of .Net installed on the system.  This update would not upgrade the .Net version to a newer one.

FAQ:

We will start with my favorite one.  Q: Did this change surprise you?

Chris: No, I actually made a prediction internally and had a bet with one of our content team members.  The prediction occurred when Microsoft first released the Convenience Roll-up.  I predicted that Microsoft would make this change before the year was out.  It just seemed like a logical next step.  Tylere owes me a six pack of good craft beer now.

Q: Why did Microsoft make this change?

Chris: They state similar reasons in their blog post that I linked to above.  I will state one other reason that I expect had a little something to do with it.  This was one of the final barriers to many companies making the switch to Windows 10.  Being able to pick and choose which updates to deliver to systems, especially in the case where something breaks had many companies holding back from moving to Windows 10.  Moving to the bundled approach has removed this convenience, although they are providing the security only bundle for each month.  One thing to note, in the write-up Microsoft did not state that this security only bundle was cumulative so we will have to wait and see if they are cumulative or not.

Q: Why is the cumulative bundled approach a deterrent for enterprises?

Chris: The biggest challenge with the cumulative roll-ups is that any breaking change in the environment means you need to choose between the cumulative bundle which may include many security fixes or breaking a business critical application if the two conflict.  On pre Windows 10 systems a single patch conflicting would mean making an exception for one patch instead of the entire months patch bundle.

If you recall the Windows 10 cumulative for January that broke the Citrix VDA client, Microsoft and Citrix had to coordinate a window of opportunity for Citrix to release an update to resolve the issue.  In this case it was a pretty quick turn around and customers with the VDA client installed on Windows 10 were able to apply the VDA update a week later then apply the Windows 10 January cumulative.

It did not seem too bad with just one week of lag time, but what if the cumulative breaks an application that is home grown or one that is from a vendor who may no longer be in business?  If a fix is either not forthcoming or comes months later this means that you cannot apply the next months cumulative or the month after, etc until the issue is fixed.  I have talked to many companies about concerns regarding the cumulative bundled service model for this reason.

Q: What does this mean for the Shavlik or LANDESK products I use to patch my environment?

Chris: Like Windows 10 for us it is business as usual.  We will continue to support updates for these updates as they release.  It really is just a change from 6-10 OS patches each month down to 1 patch that needs to be applied for the OS and IE.  So expect a cumulative roll-up or security only bundle for the OS, a .Net roll-up, and other Microsoft apps like Office, SQL, SharePoint mixed in depending on the month.

As always, we will be keeping an eye on any changes that develop and providing guidance and recommendations.  Sign up for our Patch Tuesday webinars to keep up to date on the latest from Microsoft and 3rd Party Vendors like Adobe, Google, Mozilla, Apple, Oracle and more.  From our Patch Tuesday page you can find future webinar registrations, previous Patch Tuesday infographics, presentations, and on-demand webinar playback from previous months.

July Patch Tuesday 2016

Shavlik_Patch_July12

Even though there are no ‘Zero Day’ vulnerabilities, July’s Patch Tuesday is far from boring. So far, we have Adobe releasing updates for Adobe Flash, Acrobat and Reader. Additionally, Microsoft is releasing 11 updates, six of which are critical. In upcoming news, Oracle is due to have its quarterly Critical Patch Update release next Tuesday, July 19th. We also have the one year anniversary of Server 2003 end of life on July 14th, and it looks like the anniversary update for Windows 10 is slated for August 2nd – although the Insider build looks like it may have just stabilized on 1607 this week.

Starting with Adobe, they have released two bulletins. The first was preannounced last week as APSB16-26, which is a Priority 1 update resolving 30 vulnerabilities. As a reminder, the last Acrobat\Reader update was in May, which was also a priority two with 82 vulnerabilities resolved.

Flash player also has an update this month. APSB16-25 is a Priority 1 update resolving 52 vulnerabilities, the worst of which would allow an attacker to take full control of the affected system. If you recall last month, Adobe announced a ‘Zero Day’ on June’s Patch Tuesday, but released APSB16-18 on June 16th, along with 35 other CVEs. With that said, if you have not updated Flash Player in a while, you’ll want to put extra emphasis on updating this month ASAP.

Oracle’s Quarterly Critical Patch Update will be coming down the pipeline later this month, and is scheduled for next Tuesday, July 19th.  Be on the lookout for a Critical Java release and plan to include it in your monthly patch maintenance.

Microsoft’s release this month includes six critical updates and five important ones. This month, Microsoft is reporting two public disclosures and is resolving 41 distinct vulnerabilities.

First, let’s talk browser updates: MS16-084 for Internet Explorer is rated critical and fixes 15 vulnerabilities. MS16-085 for Edge is also rated critical and fixes 13 vulnerabilities. Both updates include vulnerabilities that are user targeted, meaning an attacker would be able to exploit a user through specially crafted content. These updates also include several vulnerabilities that can be mitigated by proper privilege management, meaning, if a user who clicks on the specially crafted content is a full admin, the attacker will have full control over the target system.

MS16-086 is a cumulative update for Jscript and VBscript. The bulletin is rated critical and resolves vulnerabilities that are user targeted and mitigated by proper privilege management. This is a continuation of a bulletin chain dating all the way back to MS10-022 and released in April 2010.  The replacement chain is nine deep, and back in December 2015, Microsoft changed the title from “Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution” to “Cumulative Security Update for JScript and VBScript to Address Remote Code Execution.”  The last three in the chain appeared in consecutive Patch Tuesdays from May to July 2016.  It seems a cumulative Jscript\VBScript update may be a fairly regular addition to Patch Tuesdays, so keep an eye out for that.

MS18-087 addresses two vulnerabilities in Windows Print Spooler that could allow for Remote Code Execution and Elevation of Privilege attacks, if the attacker is able to perform a man-in-the-middle attack on either a workstation or print server, or by setting up a rogue print server on a target network.

MS16-088 addresses seven vulnerabilities in Microsoft Office and SharePoint. This update is also rated critical and includes vulnerabilities that are user targeted, and some that can be mitigated by proper Privilege Management. The vulnerabilities could allow Remote Code Execution if a user opens a specially crafted office document. An attack could come in the form of an email attachment or through hosted web content. On SharePoint, the vulnerabilities appear to only allow for Information Disclosure by documentation, provided by Microsoft, and the rating drops to important for SharePoint and Web Apps components. Thus, the urgency is lessened somewhat for those products.

MS16-093 is the last of Microsoft’s critical bulletins this month. This is the Flash Plug-in for IE update. It resolves the 52 vulnerabilities included in APSB16-25, and should be a high priority this month, along with the other Microsoft critical updates.

In addition to the critical updates, there are two important updates this month that warrant special mention. MS16-092 and MS16-094 both include Public Disclosures, meaning they have a vulnerability included that has already leaked enough information to the public to allow an attacker to gain a head start on developing an exploit. As a result, this puts these vulnerabilities at higher risk of being exploited.

MS16-092 (CVE-2016-3272) is an important update in the Windows Kernel on 8.1, and later editions, that could allow a Security Feature Bypass. Likewise, MS16-094 (CVE-2016-3287) is a vulnerability in Secure Boot on the same platforms that could allow for Security Feature Bypass. In both cases, an attacker would need to either use an additional exploit (MS16-092) or have full administrative privileges or physical access to the system (MS16-094), making these two bulletins tougher nuts to crack.

This wraps up our early analysis of the July Patch Tuesday Bulletins.  For more detail join us tomorrow for our regular Patch Tuesday webinar.

 

 

How much could your world change in two weeks? From a Security perspective, everything could.

Cybersecurity(Own)

It has been just two weeks since RSA.  What has changed in this time frame?  Well, we had a Patch Tuesday, for one.  Barely two days later Adobe Flash released an update including fixes for known critical vulnerabilities including one that was observed in targeted attacks.

According to Verizon’s 2014 breach report, in just two to four weeks 50% of vulnerabilities that will be exploited, have already been exploited.  Verizon’s 2015 DBIR goes a step further and talks about ways to profile a vulnerability to start to identify those likely to be exploited in that first 30 days.  They said a CVE being added to Metasploit is pretty much the single biggest indicator it has or will be exploited in the wild.  Another interesting pattern was identified when they looked across the 67k CVEs and found the 792 that were exploited.  When you get down to the 24 there were exploited in the first month a pattern emerges.  The majority of the CVEs that were exploited were Access Vector – Network and Authentication – None.  The CVEs exploited in the first 30 days were predominantly CVSS 9 or 10 and Confidentiality, Integrity, and Availability were all Complete.

So 1 out of every 100 CVEs will be exploited and 50% of those will be exploited in 30 days or less from the date of publication.  If you saw my 2015: Top 5 Vulnerable Vendors in mid December you may recall the huge increase in the number of vulnerabilities identified last year.  Based on those numbers the top 5 vendors last year counted for 2624 vulnerabilities identified and addressed in 2015.  So 26 of those were exploited and one should have been in the 30 day Window.  Adobe Flash accounted for more than 5 Zero Days alone last year.

Since RSA, LANDESK acquired AppSense! Among other things, AppSense provides Application Whitelisting and Privilege Management.  According to Australian Signals Directorate, SANS, and many other security agencies outline certain preventative strategies that should be at the heart of any security strategy.  Application Whitelisting (AppSense), Patching Applications (Shavlik), Patching the Operating System (Shavlik), Restricting Administrator Privileges based on user role (AppSense) can eliminate “At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to”.  

I read a few different perspectives on RSA this year after the show was over.  Having been there this year and experiencing it first hand, I found this blog post by Gartner’s Anton Chuvakin to be very close to the mark. It is a good read, but here are a couple of excerpts that I found interesting: 

“A lot of the tools firmly target the “security 1%-ers”, NOT the mainstream.”

I saw a lot of this at the show as well.  Having an IT background and working on a product line that focuses on the Operations side of the house I can attest to the fact that there is still a gap between Operations and Security. Much of the focus and many of the “cool” solutions cater to the security 1%-ers.  Preventative measures are often overshadowed because they have been around for a long time and lack the glamour of the new security solutions, but they have a tried and true track record and can reduce risk to your environment significantly.

“Does this shit work and is it cost effective?!!”

This one actually cracked me up. Even more so because we are partnering with the team over at Bufferzone and I had a chance to listen to them position their offering.  Israel Levy delivered it in one simple statement, “You have heard of Bromium. Well this is Bromium, but it works.” I laughed when I first heard him and his team using this delivery, but after talking with them more I can absolutely understand and agree with it.  Bromium apparently has extremely high resource costs to run.  4GB RAM, i3 or better CPU, and Windows 7 or later.  Bufferzone will run lighter and across a broader set of hardware.

So, looking out two weeks, we will have a webinar with the Bufferzone team talking about how Shavlik and Bufferzone together give you a stronger layered security approach.  Check out our webinar: Don’t Let Hackers in Through the Front Door!

Year of breaches takes toll on IT professionals

Businessman tiring and sleeping on his laptop in outdoor scene - overworked conceptThe last 12 months was undoubtedly a year full of high profile incidents for the security industry, from hacks to botched product updates. Shavlik, a pioneer in agentless patching technology, conducted its annual research report to identify the key security challenges that IT professions are facing in their roles. This year, the results identified a strong shift in the risk associated with the security of assets and devices by this community.

Security Concerns

It’s been revealed that over half (58%) of IT professionals are more concerned about system security than they were 12 months ago. And this makes sense after going through the list of repeated security breaches and data losses that 2015 brought with it. Organisations are now very aware of the sophistication and tenacity of modern hackers – either through their own experiences or in seeing the impact on others.

Windows Updates

The research also found that when it came to operating system patching security, 86% of the respondents agreed that Microsoft operating systems were seen to pose the strongest and most consistent challenge to their respective organisations and workforce.

It is interesting to note here that when compared to the 2014 research study, this issues has seen a 33% spike in associated risk. Some have linked this spike with the poor level of Windows 10 updates for business driving a general feeling of lack of control by IT professionals in the industry.

As we know, Microsoft offers automatic patching updates for Office users, however many organisations may not want to have every user and every computer individually downloading the large updates that frequently come with new updates. This perceived lack of control is mainly concerning the potential for system downtime and data vulnerability – which is understandably an issue for IT professionals.

Device Management

Last year, the focus of the enterprise market was on BYOD/CYOD working structures and the promise of a truly flexible/remote workplace. The trend in the previous year’s study showed that 91% of respondents felt that they were unable to cope with patching mobile devices once users take them out of the office. Last year more than two-thirds (64%) of respondents also admitted they did not understand how vulnerable mobile users were to current or existing risks.  Now fast forward to 2016 and you see a significant fall in concern in these areas, as IT professional now have a better grasp of mobile device patching and security management.

This decreased concern for mobile devices indicates how much the industry has moved along as IT professionals have now stopped siloing mobile devices and systems within their organisation. Instead organisations are now moving toward strategies that cover all types of devices.

Truly good security management solutions enable mobile devices to be considered alongside laptops and other corporate systems, which is what we are seeing a many companies readily embracing for 2016.

This coming year is most definitely the year of cybersecurity and increased IT support, considering the variety of existing threats to the whole organisation – irrespective of selected devices. The sophistication of recent hacks has highlighted that companies need to consider organisation wide security approaches to vulnerabilities to better protect their assets. All the while making the process of patching easier to manage.

Take a look at our Infographic for all the key findings from the survey.

Leap Day: A Good Time to Leap Into Better IT Security

Cybersecurity(Own)(4)It’s February 29. Leap Day. The only day of the year that only happens every four years.

Leap Day and the entire leap year are opportunities to adjust our timekeeping methods and tools to realign them with those used by the rest of the Solar System.

Leap years have also seen some significant historical events—some good, some tragic.

1752: Benjamin Franklin is believed to have flown a kite in a storm to prove his theory that lightning is in fact electricity. (Thomas-François Dalibard of France did in fact perform the same experiment the same year, based on Franklin’s writings).

1848: gold is discovered in California.

1876: George Armstrong Custer and his troops fight the Battle of the Little Bighorn.

1912: RMS Titanic, the largest ship afloat at the time, strikes an iceberg and sinks.

Leap Day just might also be a great time to improve IT security at your organization. After all, it is an “extra” day, and what security team couldn’t take advantage of an extra day?

One suggestion: review your patch management processes. Look for ways to shorten the vulnerability gap—the time between when a vulnerability surfaces and when your organization deploys the patch delivered for it. Kenna Security research found in 2015 that 90 percent of vulnerabilities are exploited within 40 to 60 days, but enterprises can take 120 days or more to deploy patches. Whatever you can do to reduce this gap improves security at your organization, and is definitely worth doing.

For some additional suggestions, check out “New Year, No Fear: Lessons Learned from 2015 and Resolutions for 2016.” Then, make your own “great leap forward” toward better security at your organization.