Oracle releases large Critical Patch Update!

Oracle

Although this critical update, complete with 270 fixes, is not the largest Oracle has issued, it’s a close second – trailing just six fixes behind the largest to-date, which was released in 2016.

The affected landscape deals mostly with business-critical applications, including: Oracle Database Server, Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, Oracle Fusion Middleware, Oracle Sun products, Oracle Java SE and Oracle MySQL. Many of the vulnerabilities in this bulletin can be exploited remotely, without authentication. Given the business-critical and financial data that could be exposed, it is highly recommended by Oracle to apply this update as soon as possible.

Of the 270 vulnerabilities, around 18 have a CVSS score of 9 or higher and one vulnerability hit the 10 mark. This 10 was awarded to Oracle Primavera and is addressed by CVE-2017-3324.

For Java SE, there are a total of 17 CVEs, with all but one able to be exploited without authentication. Nine of the Java vulnerabilities are user targeted and three have a CVSS base score of nine or higher. Although the score decreases slightly when not running with elevated privileges, the risk threat is still notable and the vulnerabilities need to be mitigated quickly.

Although Shavlik does not have patch content for all of the affected products, we have made the Java patches for this update available to our customers.

December Patch Tuesday 2016

PatchTues-Blog-Dec2016_v2

December Patch Tuesday has a flurry of exploits and public disclosures. Coming in to Patch Tuesday, we already had one zero day from Mozilla (CVE-2016-9079) which updated on November 30. Today, Adobe released nine bulletins, including a critical update for Adobe Flash that resolves a zero day (CVE-2016-7892). Microsoft is updating Flash for IE and also has five publicly disclosed vulnerabilities being resolved.

Starting with Firefox, Mozilla announced an update on November 30 that resolved a zero day in SVG Animation. This was identified in attacks targeting unmasking users of the Tor anonymity network. In an article from ZDNet, there was speculation from researchers that this exploit was very similar to an exploit known to have been used by the FBI back in 2013 that was used to unmask IP addresses of Tor users.

Today Mozilla is releasing version 50.1, which includes the Zero Day fix from 50.0.2, which released a couple weeks ago. If you have not already done so, ensure that Firefox is on your priority list this month.

Adobe has released nine bulletins today, but only one is rated as critical. I am sure most of you have guessed that it is for Flash Player and also includes a zero day.  APSB16-39 resolves 17 total vulnerabilities and the exploited CVE-2016-7892, which has been used in limited targeted attacks against Windows systems running Internet Explorer (32-bit).

According to an article from Threat Post, analysts from the Google Threat Analysis Group discovered the vulnerability and privately disclosed details to Adobe. Adobe did not have details around the specific attack and the Google researches have not disclosed any more detail publicly at this time.

As always, when there is a Flash Player update, you need to make sure to update all instances of Flash on systems. This means Flash plug-ins for IE, Chrome and Firefox. Some of these will auto update, others may take some prodding before they will update. This is why having a solution that can scan for all four variations is critical to make sure you have plugged all the vulnerabilities in your environment.

On to Microsoft. Microsoft has released a total of 12 bulletins, six of which are critical. Microsoft is resolving 42 unique vulnerabilities this month.

Aside from Flash for IE, Microsoft does not have any additional zero days to report, but they do have several public disclosures. A public disclosure means that enough detail has been released to the public to give a threat actor a jump start in developing an exploit. This puts their vulnerabilities at higher risk of exploit.

MS16-144 is a critical update for Internet Explorer that resolves eight vulnerabilities, three of which are publicly disclosed (CVE-2016-7282, CVE-2016-7281, CVE-2016-7202). Many of the vulnerabilities resolved in this update target a user through specially hosted websites and ActiveX controls and through taking advantage of user-provided content or advertisements or compromised websites.

MS16-145 is a critical update for the Edge browser that resolves 11 vulnerabilities, three of which are publicly disclosed (CVE-2016-7206, CVE-2016-7282, CVE-2016-7281). Similar to the IE vulnerabilities, many of the vulnerabilities resolved in this update target a user through specially hosted websites and ActiveX controls and through taking advantage of user-provided content or advertisements or compromised websites.

MS16-146 and MS16-147 are both rated as critical and affect components of the Windows Operating System. Both resolved vulnerabilities that would target a user and can be mitigated by running as less than a full administrator on the system.

MS16-148 is a critical update for Office, Sharepoint and Web Apps that resolves 16 vulnerabilities. Many of the vulnerabilities resolved in this update can target a user through specially crafted files. An attacker can also host specially crafted web content to exploit many of these vulnerabilities. CVE-2016-7298 is also able to use the Preview Pane as an attack vector.

MS16-155 is an important update for .Net Framework and resolves one vulnerability. Although only rated as important, this bulletin resolves a vulnerability that has been publicly disclosed (CVE-2016-7270), putting it at higher risk of being exploited.

There are additional bulletins from Adobe and Microsoft this month, but these are the bulletins that should be on your priority list for December.

As always, we will be running our monthly Patch Tuesday webinar, where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the December Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance. www.shavlik.com/Patch-Tuesday

 

 

 

 

November Patch Tuesday Forecast

windows8patchtuesday

Since October Patch Tuesday there has been a lot of activity. Oracle released their quarterly CPU including an update for Java JRE, Adobe resolved a Zero Day in Flash Player, our tip of the month, and a quick look at what to expect next week as Patch Tuesday hits.

On the Horizon

Actually more of a continuation from last month. On October 17th Oracle released their quarterly CPU including an update for Java JRE resolving seven vulnerabilities. All seven are remotely executable without the need for authentication and three of these have a CVSS score of 9.6. Java was actually on the lower end of total vulnerabilities addressed in an individual Oracle product for this CPU.  Ensure to include this update in your November testing if you have not already deployed it out.

Later in the month Adobe released a Critical Update for Flash Player resolving a Zero Day vulnerability (CVE-2016-7855). On October 26th Adobe released the update for Flash Player (APSB16-36) which started the clock for all the other vendors using the Adobe Flash Plug-In. When a Flash update occurs the plug-ins for Internet Explorer, Firefox, and Chrome also need to be updated.

Firefox uses the NPAPI version of Flash which was also released on the 26th.  The update for Flash for IE (MS16-128) released on October 27th plugging the Flash vulnerability. Google Chrome has two install options for Flash, one which relies on Chrome updating.  If you are using the Pepper Plug-In it was released on October 26th.  If you are using the traditional plug-in, this requires Google Chrome to be updated which occurred on November 1st.

In October, Microsoft changed their servicing model for pre-Windows 10 systems. I covered this extensively in a previous blog post, but there is a little ambiguity with Server 2016’s servicing model options. In a blog post from Microsoft they talk about a Security Only and a Security Quality option each month. This statement specifically caused several people to ask me some questions about how exactly Microsoft is handling updates on Server 2016.

“You can then have the flexibility to choose the security only update, or the quality update to build your patch management strategy around.”

The reality right now is Server 2016 updates are exactly like Windows 10. Cumulative bundles that include all updates that came before.  It will be interesting to see if a Security Only option does make itself available in November or sometime in the near future.  I expect a number of Microsoft customers would appreciate Security Only as an option for Server 2016.

Patch Management Tip of the Month

Exceptions: You can never push all patches. There is always an update that will conflict with business critical apps which cause exceptions. Documenting these exceptions and the reason they occurred is very important, but documenting an exception is just the beginning.

With each exception you are increasing risk. Each exception is an exposure that will potentially allow malware or ransomware into your environment or allows a threat actor to gain a foothold or move closer to proprietary information or user data.  With an exception you should also identify mitigating steps to reduce the risk. This may come in many forms, but here are some examples:

  • Least Privilege Rules will often mitigate the impact if an attacker is able to exploit a vulnerability. If you take a look at our Patch Tuesday infographics on our Patch Tuesday page you will see a column labeled “Privilege Management Mitigates Impact”.  These vulnerabilities will only gain the attacker equal rights as the user who is exploited.  If they are a full Administrator the attacker gains pretty much full access to the system. If they are running reduced privileges then the attacker must use an escalation of privilege vulnerability to gain sufficient permissions to do more.
  • Application Control will allow you to control what applications can be installed or run on a system and can effectively block most malware, ransomware, and other forms of attack. Application control can take many forms like Whitelisting or Blacklisting. These would be static application controls. More dynamic forms would include Trusted Ownership or Trusted Vendor rules. These are significantly easier to implement and maintain and also allow you to more easily rollout an effective Application Control Policy. The dynamic approaches are less commonly found, but we have a solution that can help there.
  • Containerization can effectively contain the more highly vulnerable user experiences like browsing the web and accessing email. Anything that occurs during these user experiences happens in a virtual container. If you have an exception on the system that is exposed by a phishing attack or drive by download the malicious payload whether a malvertising attack, ransomware, or some other form of malware would execute in the container and be separated from the physical system. Close the container (Browser or email, etc) and the threat goes away.

There are many other strategies to reduce exceptions from exposing too much risk like moving the sensitive application into a virtual environment and locking down access to that system to only require users, but this gives you some ideas. With every exception we recommend documenting the reason why it was made and the additional steps taken to reduce risk to the system.

Your Patch Tuesday Forecast

We are less than a week away from Patch Tuesday and as you can see there is a significant buildup of issues to deal with already. I would forecast that the 3rd party front is going to be lighter than normal for Patch Tuesday and we can expect an average workload from Microsoft on the order of ten or so bulletins total being released.

As always, join us for our Monthly Patch Tuesday Webinar next Wednesday November 9th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.

 

 

 

 

May Patch Tuesday 2016

ShavlikMay_PATCH02fMay’s Patch Tuesday has a few juicy surprises for us. On the Microsoft side, there is one vulnerability being exploited in the wild that affects both Internet Explorer (MS16-051) and Windows (MS16-053).  Additionally, two public disclosures will raise concerns with Internet Explorer (MS16-051) and .Net Framework (MS16-065). We also have a Zero Day in Flash Player from Adobe that has caused some confusion considering Adobe just published an Advisory page (APSA16-02) stating the update resolves CVE-2016-4117, which was reported to Adobe by a researcher at FireEye, a security firm. We are also seeing Microsoft publish MS16-064, a bulletin to update Adobe Flash Player plug-in support for Windows and Internet Explorer; which has details of APSB16-15, including 24 CVEs that will be included in the update. So, the question is, why did Adobe not release the update?  Will Microsoft end up pulling the bundled version in MS16-064 when the Adobe bulletin releases next week?

In total, Microsoft released 16 bulletins today, eight critical and eight deemed important. There are also 33 unique CVEs being resolved, including one Zero Day that affects two bulletins and two public disclosures.

Today, Adobe released bulletins for Adobe Reader, Cold Fusion and an advisory for Flash Player that should see a bulletin release as soon as this Thursday. The two bulletins resolve for a total of 85 CVEs. With the addition of Flash Player later this week, if the Microsoft bulletin is accurate, it should bring the total to 109 CVEs resolved from Adobe this month.

MS16-051 is a critical update for Internet Explorer and Windows resolving five total vulnerabilities, including one known exploited (CVE-2016-0189) and one public disclosure (CVE-2016-0188).  The vulnerability that has been exploited can be used in user-targeted attacks such as through a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains equal privileges to the logged-on user, so running as less than administrator will mitigate the impact of exploitation.

It is recommended to get your IE updates rolled out quickly this month. For those running less than the latest IE version available for the OS its installed on, be aware that Microsoft reduced support in January to only update the latest version available on supported Operating Systems.

MS16-053 is a critical update for Microsoft Windows that resolves two vulnerabilities, including the known exploited (CVE-2016-0189).  This OS update is another that’s recommended to rollout as quickly as possible this month as it affects older versions of the OS and VMScript and JScript versions. The vulnerability that has been exploited can be used in user-targeted attacks such as a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains privileges equal to the logged on user, so running as less than administrator will mitigate the impact of exploit.

The other five critical updates from Microsoft affect Office, SharePoint and Windows OS. These bulletins should be tested and implemented within two weeks to reduce exposure.

MS16-065 is an important update for .Net Framework that includes a public disclosure. It is recommended to add this update to the two-week rollout list this month. A public disclosure means an attacker has additional knowledge, making CVE-2016-0149 more likely to be exploited. The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server.  On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.

Adobe Reader APSB16-14 is rated as a priority two, but resolves 82 vulnerabilities. By sheer force of numbers, we are suggesting this update be considered a higher priority. As a result, be sure it is tested and put into effect within four weeks.

Adobe Flash Player only released an advisory today, but it included high-level details of a vulnerability that has been detected in exploits in the wild. If information gleaned from MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th. With this in mind, the recommendation is to roll this update out immediately.

With Adobe Flash Player it’s important to keep in mind there are multiple updates that need to be installed in order to fully address the vulnerabilities, including Flash Player, Flash Plug-Ins in Internet Explorer (MS16-064), Google Chrome (expect an update when APSB16-15 releases later this week) and for FireFox.

Join us tomorrow for the May Patch Tuesday webinar where we will discuss the bulletins in more detail.

Java Out of Band! This vulnerability fits the profile…

Oracle has announced an out of band Java update to resolve a publicly-disclosed vulnerability that can be exploited over the network, without need for authentication. The vulnerability fits the profile of one that’s more likely to be exploited in 3o days or less.

The Oracle Security Advisory for CVE-2016-0636 provides the CVSS details regarding the vulnerability. The vulnerability has a CVSS of 9.3, access vector is network, access complexity is medium and authentication is none. Confidentiality, integrity and availability are all complete. If you have taken a look at Verizon’s 2015 Data Breach Investigations Report, the pattern indicates there is high risk of this vulnerability being exploited in a short time frame.

In the report, there is a section dedicated to indicators of risk, specifically focused on how they help to profile CVEs that are more likely to be exploited quickly. A vulnerability that ends up in the Metasploit framework is the most obvious indicator, since it would easily be replicated by a Threat Actor to exploit the vulnerability. However, based on the CVE information and analysis of over 67,000 CVEs, the Verizon team was able to uncover a pattern for vulnerabilities that have been exploited, including those exploited in less than 30 days.

The majority of vulnerabilities that have been exploited have an access vector of network; authentication would be none, and access complexity of medium or low. If confidentiality, integrity and availability are complete, and have a CVSS of nine or 10, it falls to a more critical time frame where it is likely to be exploited very quickly. (See image of the figure from the Verizon Breach Report)

VerizonCVEFigure

As a precaution, put some urgency on getting this updated as quickly as possible. Aside from meeting the pattern described above, this vulnerability has been publicly disclosed. The Shavlik Content Team is already working on releasing content for this update.

Java releases out of band to start off Patch Week

java_logoOn Friday, Oracle announced a Security Advisory for Java that is out of their normal Quarterly CPU cycle. This udpate resolves one critical vulnerability that an attacker would need to exploit before Java is installed on the target system. Exploiting CVE-2016-0603 would allow the attacker to completely control the target system if exploited but, to exploit the vulnerability, an attacker would have to convince a user to open specially crafted content and this would have to occur before Java is installed on the target system using an installer older than the newly updated versions (6u113, 7u97, or 8u73).

Oracle is also recommending “users who have downloaded any old version of Java prior to 6u113, 7u97, or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later”. This would prevent an attacker from taking advantage of the vulnerability in the future. Since this vulnerability affects windows systems installing Java, current instances are not as urgent of a concern. The immediate action is to remove older versions and only install using the latest release for each version.

Happy Patch Week!

November Patch Tuesday 2015

2015_11_09 PatchTuesday01

 

November Patch Tuesday comes with 12 Microsoft bulletins and an update for Adobe Flash Player. For Windows 10 users there is the question of the Fall Refresh. It did not release today, but it’s likely not too far off. We may even see it on Thursday.

Microsoft has released four critical updates and eight important updates. The updates are mostly OS related, but there is an Office update and two other updates that affect Skype for Business. Four of the bulletins are resolving a vulnerability that has been publicly disclosed. This means that these four bulletins are a higher risk of exploit. For these, expect that in as few as two to four weeks there could be working code exploits taking advantage of these vulnerabilities.

If you look closely at MS15-113, the update for the Edge browser on Windows 10, you will see that it has been released for the Fall Refresh (Threshold 2). Expect that you’ll need to apply this after you upgrade to Windows 10 build 1511, which we expect on Thursday of this week.

MS15-115 resolves seven vulnerabilities in Windows, which could allow remote code execution.  CVE-2015-6109 is resolved by this bulletin and has been publicly disclosed. This particular vulnerability resolves an issue where an attacker could gain information on the location of the Kernal driver in memory. 

MS15-116 resolves seven vulnerabilities in Office, Sharepoint, Lync and Skype for Business, which could allow remote code execution. CVE-2015-2503 is resolved by this bulletin and has been publicly disclosed. This vulnerability on its own is not too terrible, but if used in conjunction with other vulnerabilities it could be used to elevate privileges. 

MS15-120 resolves one vulnerability in Windows, which could allow an attacker to cause a denial of service to systems running IPSec. CVE-2015-6111 is resolved by this bulletin and has been publicly disclosed. 

MS15-121 resolves one vulnerability in Windows, which could allow an attacker to exploit Schannel using a man-in-the-middle attack. CVE-2015-6112 is resolved by this bulletin and has been publicly disclosed. 

On the third party front, Flash player has released an update that includes 17 security fixes. This is a Priority 1 update and should be considered a high priority. Keep in mind that with Flash Player comes additional updates. You should expect plug-in updates for Internet Explorer, FireFox and Chrome today as well. You must update the Player instance and all browser plug-ins to be fully protected from these 17 vulnerabilities.

Join us tomorrow for the November Patch Tuesday webinar where we will discuss the bulletins in more detail.

Good news regarding the IE Zero Day, MS14-021 has released and includes support for Windows XP

Microsoft has announced Security Bulletin MS14-021 on Technet to resolve the IE Zero Day identified on April 26th.  The Shavlik Content team is investigating and will be releasing support for this bulletin as soon as possible.  A restart will be required to apply the patch.  Also, if you have applied any of the mitigation steps you will need to take a look at the ‘Workarounds’ section of the bulletin to see if the steps you chose will need to be reverted.

For those of you on Windows XP, the bulletin identifies variations on IE 6, 7, and 8 and according to the MSRC post today, Microsoft has decided to support this bulletin on Windows XP.  According to Dustin Child’s post Microsoft “…made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system…”.

Watch for the Shavlik Content Announcement later today once we have tested and made it available to our customers.

 

 

New IE Zero Day being exploited in the wild, what does it mean for Windows XP?

internet-explorer1_12

I don’t think anyone will deny that Windows XP was expected to become a target after the EOL, but we couldn’t even make it to the first patch Tuesday after the EOL of Windows XP before a Critical IE Zero Day was discovered.  On Saturday April 26th, Microsoft announced Security Advisory 2963983 in response to attacks discovered in the wild against IE 9, 10, and 11.  The vulnerability also affects IE 6, 7, and 8, so those users still running on Windows XP systems are vulnerable to this Zero Day.

Protecting my Mom – New Generation of Attacks Threaten us All

Most days I sit comfortably at my desk behind multiple layers of defenses keeping myself and my machine from harm. I sip my coffee and don’t even think about defending threats from myself, instead most of my energy is focused on how do we push forward in our industry against those armies of darkness that seek to compromise our privacy, security and exploit information for their own cause. This week, was different. In three different cases, I found myself at the center of the attack. It was humbling, and at the same time reminded me of how much work we have to get done.

What scares me the most is the unsuspecting prey that countless hackers stalk?  I’m knowledgeable about what and how hackers try to exploit victims. But I worry about my friends and family members that don’t have that same savvy knowledge. I think about my Mom, using the internet for her banking and the occasional check of Facebook… little does she know she’s in the epicenter of the attacks.

So this Blog is the first of a series of three chronicling my last week. I want to share with you three attacks that happened to me in the hopes that it gives you a flavor for where attacks are coming from nowadays. No longer is it the rogue link to install software or the email bomb that just annoys you.  It’s a whole new world where callers, innocent internet checks, and group emails all lead towards exposure.

MONDAY:  Attack 1 – “Windows Service Center”

Last Thursday, I ended up getting home a bit early from a week of travel.  It was about 4:00 p.m. in the afternoon and the house phone rang. It was just me and my kids at home. My kids range in age from seven to eleven and in most cases, it would have been them to answer the phone, but I happened to be there. I grabbed the phone, looked at the number and saw it was a originating from New York. With family on the East coast, I didn’t think twice about grabbing the phone. After five seconds with no one speaking, I should have just hung up, but I stuck this one out. Then it happened… the attempted hack started.

Access DeniedThe caller identified himself and began, “Hello this is XXXXXX from the Windows Service Center.”  Intrigued, I decided to let him continue. “We have detected you have a computer virus on your machine and we’re here to help fix it.” At this point, my hack-o-meter instantly was pegged and I knew this was a scam, but for fun, I decided to let this play out. I asked, “how do you know I have a virus?”  He responded, “because we have systems that detect these sort of things.”  I asked, “how do you know it is my machine?” He retorted, “because we in America spy on our citizens.”  I had to laugh at this one, to use that approach was fascinating, and more curiously, based on background noise, I firmly believe this call was not originating in the United States. Again, I pushed a little bit harder, “I have two machines in my house, which one is it?”  He then responded, “I’m sure it is all of them, so we’ll fix them both.

If memory serves me right, I was cutting some tops off of strawberry’s at this point in the kitchen and he asked me to go over to my computer. I told him I was in front of my computer at this point even though I was still cutting up strawberry’s. He started off by asking me to go to my control panel in Windows and told me that my Windows Firewall wasn’t active. WOW! I thought to myself, this is an impressive scam!  Sure enough he successfully told me what to click (if I actually was in front of the computer) to navigate to my windows firewall and then told me the instruction to disable it because “bad software had taken it over.” Pretending I did, we continued. I asked him, “Are we done now?”  To which he responded that he’d need access to my machine to make sure. I told him that I didn’t know how to do that and he asked me to go to some website by an IP address. Of course, at this point he began to see through my ruse. I told him I couldn’t get there but asked him what was there and he told me it was something “like a WebEx or online meeting” where he could control my machine.

He pushed really hard to get me there, but after a few more questions from me he started to get VERY mad. Not to mention I had moved onto rinsing some peppers and the water running was likely giving me away too. He told me, “You could be arrested if you don’t eradicate this virus” and even played off the emotional heart-strings, “you are exposing your family to harm.”  Then he crossed a line that I’ve never seen before, “I’m not asking you to go here, I’m telling you that you must” as his voice took on a threatening tone.

At this point, I told him that I needed to speak with a supervisor to validate this was the right thing to do. A man got on the line, didn’t identify himself and when I asked where they were and what company they worked for, you could tell I now was the one trying to go after them.  After I told them how shallow it was to attack innocent people like this, he blurted out a few expletives and mumbled some other inappropriate comments before hanging up.

If I had played his game, I have no doubt that the website I would have gone to likely would have been a way for them to remote control into my computer and more than likely it would have been used to download some Malware onto my machine. Things like key-loggers to capture my every password, my access, and even troll around my machine for some good documents that I might have. No doubt, my machine would have gone from a well-protected one to one that was riddled with Malware with a firewall turned off. All scary realizations for me.

…But could this have turned out differently?

What’s more scary though is I still play this story out with the “what-if” scenarios. What if my son had answered the phone? What if my wife had answered the call? Would they have played along or have gotten off the phone before damage was done? If they had played along, would the call have ended so innocently that they’d not have shared what happened with me? Could they have used my home machines (which don’t have valuable data) as a conduit to my work one, which definitely is more sensitive? The caller had the skills to make themselves sound believable, and the pressure-cooker capabilities of a time-share salesperson. They were well skilled to have seen this be a success.

On the heels of this event, I did everything I could to trace this attack back. It turns out the NY phone number was masked and it was originating from an exchange in India. The IP address website I was asked to access was from China. The call-back information was obviously invalid and I didn’t take the charade far enough to get more data to track them Typing on computerdown. Hindsight being 20/20, I wish I had spun up one of my Malware Virtual Machines to access their website and see what else they did or at least trace the traffic from that event back to a more authoritative location so I could snoop back at them. More than likely they were using the computer of their previous victim, so that likely would have led nowhere, but nonetheless, I came up short on sleuthing this one.

Beyond the attack on me, I went online and began to search for the keywords from this conversation, “Windows Service Center” and a few others. It turns out there were more than a few dozen of these attacks reported, each recounted a story like mine, and in many cases, the victims acknowledged they were successfully exploited as part of this attack.

The Moral of Part One

What’s the moral of this story?  There is no safe phone call and there is no innocent phone call. Unfortunately, it won’t take you long to go online and search and find other scams like this. Just this week we heard of the IRS phone scam defrauding millions from people impersonating the IRS. Some tips for all of us (and my mom) on this one:

  1. If someone calls, unfortunately, don’t trust them and make sure you validate their identity.
  2. Watch for key signs that the call is illegitimate. Ask yourself, does the caller ID number make sense? If it is “Unknown” really question it. If it is from outside of your home country, question it as well.
  3. If they are legitimate, they should be fine with you calling them back. Ask for their number and extension and ring them to validate you have a good number for them. At the same time however, if they give you an out of country number, DON’T CALL IT. This is a different type of scam…
  4. Never put yourself at risk doing something you know is wrong. Your firewall is there for a reason. We write patch-management software for a reason, never let someone ask you to take it down.
  5. If someone asks you to do something suspicious like go to an unverified website… don’t do it.
  6. Never… EVER… let them pressure you with commands or threats to do something you don’t want to.
  7. Call the authorities and email us. This activity is illegal and is a cybercrime. By you reporting it, people like me find out about it and then we go after these criminals.
  8. When in doubt, call/email me before you do anything… and I’m not just talking about emails from my mom… I’ll take emails from anyone on subjects like this.

I wish there was a switch on the wall that I could flip for us all to turn off the darkness.  Unfortunately, there isn’t. In the interim though, we’re here to make it safe for us all as best as we can. Be safe everyone.