Friday, March 30, 2018

New Windows 7 and Server 2008R2 out of band patch

Microsoft usually only issues patches on the second Tuesday of every month (so-called “Patch Tuesday”). However, when there is a vulnerability that is being exploited in the wild (or is likely to be) Microsoft may issue an out of band patch. That’s exactly what happened yesterday. The vulnerability being patched was introduced when Microsoft patched Meltdown and Spectre in January. In that patch, Windows separates page tables between user space and kernel space to mitigate processor vulnerabilities (kernel page table isolation).  But this apparently creates a new problem in Windows 7 and Server 2008R2.

The new vulnerability allows any user on the machine to read and write to the memory of any process, including the kernel. Ironically, this is worse than the original Meltdown vulnerability which only allowed attackers to read (but not write) arbitrary memory. In other words, the patch creates a problem worse than the original vulnerability the patch was written to solve.

Read the full story on the Rendition Infosec corporate blog.

Tuesday, March 27, 2018

Atlanta government was compromised in April 2017 - well before last week's ransomware attack

Last Thursday, the City Of Atlanta suffered outages from a ransomware attack. During the press conference (recorded here), city officials indicated that they were invested in cyber security. They noted that they were working with state and federal law enforcement to resolve the incident and had even been in contact with the Secret Service. Officials noted that this type of attack (and outage) were happening to many organizations. Officials attempted to convey that despite adopting cyber security best practices, the City of Atlanta was victimized. This prompts the question “Was the City of Atlanta following cyber security best practices?”

Though little is known about the internals of the city’s cyber security posture, we quickly learned that the city had exposed remote desktop protocol (RDP) to the Internet with no multi-factor authentication*. This is extremely important because if attackers get a valid username and password combination, they can directly access your information systems if no multi-factor authentication is in place.

*Full disclosure: We’re a little biased on the need for multi-factor authentication, Rendition Infosec installs and monitors multi-factor authentication solutions, click here to learn more.

Cybersecurity Hygiene

Leaving RDP open to the Internet is bad, but leaving SMB (windows file sharing, or Server Message Block) open to the Internet is much worse. Most readers probably remember the WannaCry ransomware campaign that shut down services at the UK’s National Health Service and elsewhere in May 2017. These attacks were powered by the leaked NSA (allegedly) exploit EternalBlue. In June, the same leaked exploit was used with the NotPetya attacks to target Ukrainian businesses (though impacts were felt worldwide).  The EternalBlue exploit targets the SMB service on unpatched computers.

Read the full story on the Rendition Infosec corporate blog.

Tuesday, March 6, 2018

Countering Russian cyber influence operations

Last Friday in SANS NewsBites, I saw an article talking about how NSA has not taken any action against the reported Russian cyber influence operations in US elections. Many laypeople have commented to me that the US can’t continue to operate in an environment other countries can try to influence our elections. But my follow up question to them is always “how would you fix this?” The answers often start out strong, but when we dig into them a little, we find out there are significant problems with implementation.
*Full disclosure: I’m on the editorial board for SANS NewsBites. You should subscribe and use it for expert opinions on cybersecurity news.

Influence operations in cyberspace are a form of asymmetric warfare. As we have learned from Facebook’s identification of advertising buys by Russian organizations, the cost to launch an influence operation is low. Unfortunately, the cost to counter an influence operation is very high. There are very limited options to counter a cyber influence operation and they all have serious problems. We intentionally won’t address the legal issues with each – let’s assume that the legislature will clear any legal hurdles that need to be addressed.

Options for dealing with cyber influence operations
  1. Counter with your own influence operations to negate undue influence from foreign actors
  2. Hack those performing the cyber influence operations and prevent them from performing the operations
  3. Sanctions or other political pressure against those conducting the cyber influence operations
  4. Conduct cyber influence operations against the aggressor hoping for a “cyber cease fire”
  5. Force the platforms used for influence to limit their susceptibility to such operations
  6. Criminally charge those involved in influence operations

Read the full post at the Rendition Infosec corporate blog.