After several years of successful growth as a part of RJS Software, RJS Smart Security branched off as its own business unit in December of 2011. With that step came the need for a website to share our unique story.

Today we launched www.rjssmartsecurity.com. Most importantly, this site shares our thoughts on practicing smart document and data protection via our “Lean Security” methodology. If you’re in need of PCI or HIPAA assistance, help buidling an iron-clad security strategy, or a product that can solve your encryption needs, don’t hesitate to give our RJS Smart Security team a call!

RJS Smart Securityhas finally arrived! Check out our new security website - www.rjssmartsecurity.com - and let us know what you think!

While the bread-and-butter of RJS Software’s business has always been our document management software products, we made a strategic decision three years ago to add a security consulting wing to our organization. Since then, security has become an integral part of the document management lifecycle and how we protect your data and sensitive corporate information.

In the last three years, we’ve also come across an industry-wide complaint about security consultants. They’re too expensive and projects take too much time. You know what … we couldn’t agree more. That’s why we have developed a security methodology called, “Lean Security.”

There’s a way to make your security strategy work smarter, not harder. Perfect security is a pipedream. So use what you have and learn from what works. Simply follow these six principles when building your lean security strategy.

The idea of perfect security is a trap.
Embrace the 80/80/80/80/80 rule. You’re better protected with several slightly imperfect layers, than one single line of defense.

Make changes. Measure results. Do more of what worked. Repeat.
Stay one step ahead of attackers by enhancing your operational efficiency. Take the time to learn and minimize resource waste.

Read the rest of this entry »

Last weekend I attended ShmooCon, a yearly security conference held in Washington D.C. Today I want to explore several common themes I noted in many of the great technical presentations at the conference.

1) Operations

For many years, the community has been saying that security is facing an operations challenge, not simply one of just technology and cash flow. Simply put, most people aren’t following our advice. Administrators aren’t reviewing logs, systems are still unpatched and users are still running as administrators. Risk increases every day when people don’t do the right thing; this is the fundamental reason most people get successfully attacked.

In many ways, this flaw in operations is like having a horse. You build a great stable. You put in lights and a heater. You put nice locks on the doors. You build out the plumbing system so the horse can have fresh water and then finally … you buy a horse and put it in the stable.  Sadly, most companies get to this point and then, after spending tens of thousands of dollars on their horse, decide spending $100 on oats is too expensive and just toss scraps into the stable as time permits.

Sadly, we live in a world full of dead and starving horses.

Read the rest of this entry »

For those who don’t know, when attackers successfully breach a system, they often share the information they find publicly on the internet. For those on the illegal side of Information Security, this awards them the satisfaction of adding another notch on the scoreboard and further shames those who have poor security. For people like me on the legal side, we receive the ability to gather passwords used in the real world and analyze commonalities, variations and patterns. For this reason, I have several automatic searches that notify me when certain information gets leaked.

Recently, I was alerted to a situation that occurred at the George Washington Middle School in Ridgewood, New Jersey. I won’t link to the actual leaked data, but suffice to say it contains enough administrative information to access their systems. I did not verify this to the point of logging in, but it certainly looks correct and the leak has already been plugged, thus illustrating the sensitivity of the information revealed. Besides the data mentioned above, the leak also contained usernames and passwords for 246 sixth graders.

You’d think with 246 young students, you’d see 200, perhaps even 225 unique passwords, right? And if default passwords were created for them by a network administrator, you’d hope all 246 were unique. When analyzing the data, however, there were only 34 unique passwords. 34!

Here they are:

Note the right hand column. Those are the passwords that are truly unique. This means that of 246 passwords, only 13 of them are not like the others. Of those 13, only one wasn’t based on the shared list. And even that one was the always original “Password.”

In all the analyses I’ve done, this is by far the worst.  There are a handful of possible scenarios here. Ignoring the possibility this is completely fabricated (the usernames of the children make that seem somewhat unlikely), this is either a set of passwords that were generated for children or by children. Given how evenly matched the passwords are in distribution, it seems more likely there was a list of 21 “default” passwords that were generated and then the students were asked to change them. Given the passwords on the right hand column, it seems as though the instructions were “add two numbers to the end of your password to make it secure.”  The password of “Password” matches a username of “Username,” so it’s probably a header or a default value and can be ignored.

So, what’s wrong here?

First, selecting passwords in this way means if someone knew their password and wanted to try to get into other accounts, they’d be able to get into at least 9 other accounts and possibly as many as 14 … and that’s with doing no work at all. If you look at word pairs you get summer/winter, apples/oranges and soccer/football. This raises the number of breached accounts with inside knowledge to 25. Now, if you decided to attack this system with a default word list, it would take about a day to get hits on most of these. If you had a list of usernames, you could easily gain access to every account on this list in a day.  In some systems, it would take as little as a minute to crack each account.

So no one expects sixth graders to be security geniuses, but sad to say, habits get set early. Assuming the right hand column contains passwords that people changed, only 12 students changed their passwords as instructed. If we assume they were given instructions, this means we can expect 4.88% of people to follow directions. If personal experience indicates anything, sixth graders are even more likely to follow directions than adults, so in an average organization, we can assume less than 5% of people will follow best practices … and they’ll probably do the bare minimum required of them.

Now take a minute and think what this would have looked like if the following changes were made to the system:

• Users are assigned completely random passwords
• The system required passwords to be at least 12 characters long.
• The system required passwords to have a mix of upper case, lower case, numbers and punctuation

What would happen?  First, the student would probably write his or her password down somewhere. Now that code is as safe as a locker and/or the student’s resistance to bullying.  Maybe there’s a better way.

What if the system were set up to allow users to register themselves and had a password complexity rule. Suppose it had to hit a specific score of something like 100, where the scoring worked this way:

• base starts at 0
• Upper case character base+10
• Lower case character = base+10
• Number = base+10
• Punctuation = base+10
• Space character = base+10
• Score = base * length of base

If someone wanted to use a basic word like “winter,” the system wouldn’t accept the password. “Zoologists” on the other hand, would be accepted. If you wanted something shorter, you could go with “like2″ to obtain your required score of 100 (a base of 20 * 5). This is the basic idea of password scoring. You could decide for yourself what metrics to use, but by raising the threshold score and weighting various characters differently, people are driven to select their own passwords.

Using the rules above, suppose you wanted a specific score of 1000. “Jooxiepa8da X1Zaode!” would work, but so would “Ask not what you can do for your country.”  Which is easier to remember?

This is how you generate passwords to meet an arbitrary security threshold that are easy to remember and hard to crack. Since people don’t follow directions (5% change rate) and write down hard things to remember, this is one of the best systems you can implement. Sure, multifactor systems are better, but I don’t think sixth graders would be very good at keeping track of their magic “log me on” device. So instead of teaching them horrible password security from an early age, maybe we should implement a system that understands that humans, of whatever age, are human.

In fact, maybe we should do this in business too.

Another month, another collection of patches and fixes you should install. This month we cover Adobe, Microsoft, VMware, Oracle, Opera and Android.

Adobe
Adobe has released patches for Acrobat and Reader … again. As before, these updates address flaws that allow attackers to take over a system by simply directing the user to a PDF file. Like we’ve seen throughout the past year, if you’re running Adobe Reader X, you’re far better off than if you stayed on 9.  (If you’re on 7 or 8, be aware those systems are no longer being maintained and are even riskier.) See details here and here.

Any file can be a potential source of compromise, but as the PDF format becomes increasingly more complex, it is increasingly used as an attack vector. If you don’t have a patch process built around Adobe products, you are  not only taking a huge risk, but you’re likely already infected. Modern anti-malware systems do a great job of protecting against this sort of threat, but expecting them to protect the negligence of not patching is like expecting to put out a forest fire with a hand-held extinguisher.

In other Adobe news, there is a problem in Flash that we don’t know much about yet … except that Adobe hasn’t patched it yet. What little we do know about this problem is documented here. Needless to say, when you’re building that system to protect yourself from PDFs, best work Flash patching in, too.

Finally, there’s been problems found in Flex and ColdFusion. These have been patched and, thankfully, do not seem to require a recompilation of your applications. If you’re running a ColdFusion system, please read the technote here and pay close attention to whether you’ve installed the APSB11-14 Hotfix. If you do not have admin privileges to your ColdFusion server, you can use this technique to pull out information to give to your admins.

Microsoft
Microsoft sure believes in 2011 going out with a bang.  Thirteen updates came out last week with eight of them critical. We get a nice mix of remote execution and privilege escalation which means “game over” to anyone that runs them together. Problems with TrueType fonts and Excel files are being actively exploited. As usual, the best details are over at the SANS Internet Storm Center. Please patch ASAP.

I also want to take a few minutes and point you to some interesting facets of the Microsoft articles that accompany these problems. Normally, Microsoft hides some information deep in the alerts about workarounds, but they’re usually not very useful. This month, however, is quite different.

- Microsoft has had a history of problems with reading TrueType files. Odds are MS11-087 is not the last patch for this issue. If you want to disable all embedded font functionality, see this workaround. You’re basically blocking access to the embedded font system by setting ownership and access control lists. Note that it will break the ability to generate PDF files from Word.

- The problem with Pinyin IME only affects Chinese versions of Office … and those that installed the optional input method. If you’re the type of person that loads all options just to have a “complete” install, be aware this places you at risk. The more pieces you have in a system, the more options an attacker has to take advantage of you.

- The workarounds for Publisher all read: “Do not open Publisher files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.” This is common verbiage in Microsoft articles. By now, I think we all know users are going to click on stuff. So, better advice might be “If you don’t need Publisher, don’t install it.” This also applies for Word, Excel, Powerpoint, Access, Project, OneNote, PictureManager, etc. Megapackages like Office come with lots of parts and if you don’t need them, don’t install them.

- The problem with Windows Media Player allows an attacker to take complete control by sending you a .dvr-ms file. Do you need to play .dvr-ms files?  I know I never have to. You can block this entire format by following the instructions here.

- MS11-094 involves loading DLL libraries over a WebDAV share. Microsoft has been having trouble with WebDAV since 2004. If you don’t use this feature (and unless you’re running Sharepoint, you probably don’t), you may just want to turn it off. Details on doing this are in this workaround. The easiest option is just to disable the WebClient service.

- Hidden in the same MS11-094 vulnerability is an instruction on how to use the Microsoft Office File Block policy. If you work in a high-risk organization and have updated to modern versions of Office, you can drastically reduce your risk by blocking old office types. Details here.

- Similarly, you can block file types that fail validation. As detailed in this workaround from MS11-096, the most common types of files used to spread malware to Office simply won’t be openable. Ask yourself whether you really need macros in old Office formats. I know I don’t.

Oracle
Even if you’re not running their database, you are likely still affected by Oracle updates. Since they purchased SUN, Oracle is now in charge of creating Java patches. Java is behind only Adobe PDF and Flash for the most exploited software. You should be patching Java just like Adobe and if you’re not (as I mentioned above), you’re likely already infected. The Oracle release notes are here. A list of bugs fixed are here.

VMware
There is a relatively minor update to VMware Update Manager 4.x. I am only mentioning it here because many people are still not in the habit of patching VMware. Remember, infrastructure (VMware, Cisco gear, hardware appliances, etc) are really just servers and need to be maintained the same way.

Details on the VMware issues are here.

Opera
For those who use the Opera web browser, note it it has been updated to version 11.60. This update includes a fix for problems involving the BEAST attack. Details are covered here.

Android
If you are running an Android phone, be aware that malware has jumped 472% since July. Sadly, there is little we can do about this other than taking basic precautions. I recommend you at least run the free version of Lookout. If you’ve rooted your phone, try to limit where you install apps from and run DroidWall to keep your apps from being too chatty. I’ll work up a guide to a more secure Android device sometime in 2012, but the above advice should tide you over for the time being.

If you’re supporting devices professionally, there are some non-free options that help out a lot. Feel free to contact us for more details.

There are many exciting projects going on at RJS, so when I started this post I thought I might talk about the new security website we’re building or how we’re expanding our security offerings in 2012. But then I realized it’s December and December blog reading should be fun… so you get a post about improving your security with strategy lessons taken from Angry Birds!

In the world of Angry Birds, we have a small group of birds that are serially preyed upon by a kleptocratic monarchy of green pigs. In this world, the pigs steal the birds’ eggs and hide them in poorly-constructed shelters while the birds fling themselves at the pigs in efforts of destruction. Despite this vicious onslaught perpetrated by the birds, the pigs continue in their egg thievery, thereby allowing for a continuing series of episodes.

Clearly, there is room for improvement in terms of both offense and defense.

The Pigs

Let’s start by analyzing the Pig Empire. Their goal is to obtain eggs. It is implied they are for eating, raising the uncomfortable question as to where the pigs get their bacon. However, they are inefficient. If they were to take a lesson or two from real-life attackers, they would change their operations in the following ways:

1) Preparation

The root of their’ constant downfall is they expend insufficient effort on shelter construction. Even a cursory inspection of history would indicate a high likelihood of retaliatory avian attack, so it would be wise to prepare. The average shelter is shabbily built and falls to a mere handful of birds. If the pigs focused on quality over quantity, they could invest in sturdier materials and protect far more pigs. Building defenses prior to egg theft would result in a much more successful attack as well.

2) Planning

Another problem facing the pigs is the birds attack using a massive slingshot. I presume this provides additional impact force, but it does introduce a point of weakness. Modern attackers often focus on crippling their target’s ability to retaliate. In other words, if the pigs simply stole the slingshots when they stole the eggs, the birds would be seriously hampered in their efforts to counter-attack.

3) Sacrificial Hierarchy

It appears as though the pigs exist within a hierarchy consisting of a large king pig, a handful of mature leader pigs, some adult pigs and a large number of little pigs (that presumably cry “wee wee wee” all the way home). Malware teams have similar hierarchies, with the people funding development at the top, developers and project leaders below them, marketers below that and finally, those responsible for smuggling the money from your bank account overseas. If the pigs were to learn from this, they would hide their king and leaders in the best shelters possible, well out of reach of the birds, and draw their fire with an array of poorly defended little pigs. This structure allows for organizational continuity favoring the pigs and causes the birds to burn their resources inefficiently.

Common flaw of pig-based construction

A more secure design

The Birds

The birds seem to be structured as a loose confederation. Much in the way business owners band together to discuss and develop shared defenses, birds of more than one feather collaborate to combat the pigs’ designs. Just as there is room for improvement on the part of the pigs, there are areas where the birds could learn from the advice we give our clients as well.

1) Reduce Scope

First of all, the birds face the fundamental problem of constantly losing their eggs. The easiest way to protect against fundamental issues is to narrow the scope. If you’re protecting credit cards or health records, this means identifying the data and centralizing it for better protection. Now, in the case of eggs, there is clearly some risk from putting all one’s eggs in the same basket, but there is no rule that scope has to be limited that far. It could be limited to two or even three baskets. The key is to limit the scope as far as you can and then to boost the defenses around that area.

2) Improved Retaliation

Surprisingly, while the world of Angry Birds has a great many birds, none of them seem to be able to fly. This, as noted earlier, places them at significant risk from the loss of their slingshot. It also means their attacks must all originate from a single point. In the business world, we have several areas from which we can detect and respond to attacks. We detect attacks with technology, forward issues to security teams and law enforcement and, where needed, involve a judicial system. Similarly, an avian attack should be mounted from numerous locations. It should not require a specific bird attack from the East. Any flight-capabable bird should be able to respond to attack.

3) Agility

Agile security involves being aware of your environment, your capabilities and your attackers’ capabilities. You can then make defense plans and execute quickly in the case of attack. There are times when the appropriate response is to tighten security, others when one should involve law enforcement and still others where it makes sense to allow the attack and learn as much from it as you can.

In the case of the birds, while they seem to be masters of resource utilization (expending minimum force to achieve their goals), there is still room for improvement. Their technique works because they face an enemy that fails to adapt. If this ever changes though, it would be impossible to regain the eggs and the birds’ continued existence would be at risk. Simply reviewing the Pig Empire defenses and dynamically selecting the number, species and order of attack would allow a significant increase in agility.

Improved Attack Method Adapted To Environment

Conclusion

Perfect security is impossible so there are inevitable flaws on both the part of the birds and the pigs. While today’s birds are able to achieve their goals, if the enemy boosts their capabilities, the birds’ limited structure puts them at serious risk. The problem is that eggs keep getting stolen. If the birds improve their defensive strategy to such a point that egg theft drops significantly, the pigs might find it substantially easier to obtain sustenance from another source… Falldown 3D, perhaps.

Launching attacks is easier than defending against them. An attacker must only succeed once, but a good defender has to be vigilant all the time. A small improvement on the part of the pigs’ attack would place the birds themselves at risk of extinction. So it is essential that the birds improve their defenses and capabilities. With luck, they’ll manage to do this before things reach a point of criticality.

Warning: this blog entry covers sensitive current events and some of the links may use strong language.

When a big news story hits, do you ever notice a pattern or significant fact, that despite 24/7 coverage, everyone appears to be missing? The world has had three events in recent weeks get considerable attention throughout television, newspapers, radio and social media; and each of these events are catastrophes that occurred because of poor policy choice and unplanned reactions. Let’s briefly explore them.

PayPal v. Regretsy

Paypal is known to “freeze” the assets of somewhat questionable groups. However, many are saying they crossed the line by pulling the plug on a fundraising effort to get Christmas gifts for 200 children in need. Yep, you read that right. Paypal followed their policy and basically profited three times off of preventing children from receiving gifts. Is it surprising that this blew up in their face?

April Winchell, of the popular website Regretsy.com, wrote up her story and published it online with a follow-up. Not only did she get a massive movement behind her, but due to the fame of regretsy.com and the nature of what Paypal’s employee said, the story went viral and is being spread throughout Facebook, Twitter and other social networks. The story has been reported so widely,  there are now over 20,000 hits on Google with titles like:

- PayPal ruins Christmas for over 200 kids

- Paypal has no problem ruining Christmas for Children

- Paypal – The Christmas Grinch

There are posts claiming “Paypal is evil” and people should “stop doing business with them immediately.” On top of that, there is a public list of Paypal and Ebay employee phone numbers and email addresses being spread along with this story.

Carrier IQ

As we have covered previously, Carrier IQ is the company that writes activity-monitoring software for cell phone providers. Some call it the rootkit of all evil but others say it’s not so bad. The news started within a rather small technical community, but rapidly expanded throughout the internet and has resulted in a class action law suit and a senate inquiry. Carrier IQ’s customers are also being sued.

Pepper Spraying Cop

Most everyone today knows the story about the cop that sprayed pepper spray in the faces of protesters at the University of California-Davis. While such events happen often, the fact it was captured with cameras and posted all over the internet made it famous. The incident has started a national discussion about militaristic police forces, a personal investigation into Lt. John Pike and endless parodies.

What does this mean?

In each case, someone did something no rational person would do if presented with the given scenario. The various parties all defended themselves by citing law and policy, yet each instance caused a catastrophic public relations nightmare they may never be able to fix.

If you asked John Pike, weeks before the instance, if he would ever walk past a line of passive college students and cover them with pepper spray, I’m sure he would have said no. If you asked the CEOs of ATT or Sprint a month ago if they ever thought about tracking every single action their customers took on the internet, they would have dismissed the idea as ridiculous. If you asked the leadership of Paypal if they planned to steal money from impoverished children for Christmas, they’d have called you insane.

Yet, each of these events happened. Why? It comes down to policy. Policy’s role is to guide behavior. It sets expectations and makes individuals accountable. Sadly, the latter is often phrased in a negative manner so employees do the bare minimum to protect the organization and, in the process, open up the potential for these types of unfortunate events.

A better way?

Think about what would have happened if the Paypal representative had taken the call and responded with “That sounds like a good cause to me. I’m not authorized to allow it, but let me get my boss on the phone.” Maybe their officers wouldn’t have gotten inundated with spam and phone calls. Maybe their name wouldn’t be equated with thievery and evil. Maybe working with the offended party would be a better approach than a half-hearted apology.

Similarly, what if Carrier IQ had entered into discussions with TrevE about his findings and then worked with ATT and Sprint to resolve the issue instead of immediately going to the legal system (and getting trounced)? Maybe the whole issue could have been avoided.

Lastly, what if, Norm Stamper’s reforms of the police system gained traction? Maybe Occupy UC-Davis would have looked a lot more like Occupy Iowa City.

It’s a matter of trust

When I write policy for a client, the goal is to protect the business from mistakes made by employees. The goal is never to restrict employees to the point their only answer is always what the rule book states regardless of gray area. If you need something done exactly the same way every time, use a computer. They’re actually pretty good at repeatable tasks. People, in contrast, are really good facing unique situations and resolving them in creative ways. As soon as a policy prevents an employee from making improvements, there is no longer use for the employee. Just automate that job and be done with it. If that’s not your goal, your policy is broken. You can fix it by looking for scenarios which can be read literally and, as a result, cause catastrophes like the ones mentioned above.

There are many ways to fix these problems, once they’re found. Some businesses give their employees discretionary budgets. What if Paypal had said “Sorry for the mix up, and since it’s a good cause, here’s $100 to buy a kid a present.” Some businesses have an official PR escalation team. What if TrevE’s report hadn’t been met with hostility, but instead they said “Huh, good point. If we give you $1,000 can you give us some consulting on doing this better?” Some organizations create an expectation of personal responsibility, where it is illegal to obey an illegal order. Might that not have helped things at UC-Davis?

If you’re going to have people working for you, you have to let them be people. Let the policy be the guideline and trust them to follow the guidelines. If you do not trust your policy to guide, and not prescribe, action, you need a new policy. If you do not trust your people to be guided by a good policy, you need new people.

It’s time for a quick review of important security updates released in November.

But before we get started, I want you to imagine your house, apartment, condominium… wherever you call home. Obviously you do not want random people entering this place, so you close the doors and lock them tight. Imagine your surprise then when you receive the following note from the company that makes your door locks:

ACME Lock Company is writing to notify you of a problem with the locks you’ve installed. Attackers have found a way to enter your house with no effort, but don’t worry, it’s only a problem IF YOUR DOORS ARE CLOSED.

Sound far fetched? Well, that’s exactly what Microsoft did with MS11-083. This update fixes a problem where attackers can crash or take over a system through an attack against closed UDP ports. . . something every system has. The only difference between the Microsoft problem and my ridiculous house example is you can patch the Microsoft problem, so please go patch.

Yes, now.  I can wait.

…

All patched?  Good.  Here are the other patches and fixes you should know about.

Microsoft
Other than the problem mentioned above, there were three additional patches. They are unlikely to be exploited en mass, so patch when you can. Odds are they were patched when you updated MS11-083, as directed above.

Learn more.

Adobe

Adobe updated Shockwave Player. Most people are running Flash these days, so if you have Shockwave, take a moment and ask yourself if you really need it. If you don’t, remove it and you’ll be a lot safer. If, however, you must run Shockwave, apply the update.

Adobe Air has also been updated.

Learn more.

Apple
Apple released a plethora of updates. Per usual, there are many and you cannot pick and choose which ones to apply. They also don’t tell you which ones are critical, so you better apply them all. It is known that this updates Java to 1.6.0_29.

Learn more.

Duqu
A new malware attack called Duqu hit the news recently. This is another example of the increasingly malicious sort of malware that zeroes in on specific environments. Supposedly based on Stuxnet, it leverages a fundamental design flaw in Windows to run code by manipulating the font system.

Use this or this to see if you’re infected. Visit here to apply a temporary fix from Microsoft.

WordPress
The TimThumb problem from earlier this year is still spreading through WordPress sites. Frameworks, like WordPress, Drupal and Joomla are not inherently bad, but you must keep them patched at all times. If you are using modules that do not have active updates, they should be replaced. If you don’t know if this is the case, ask your administrators or hosting company. If they don’t know, it might be time to bring in some outside help.

Learn more.

As always, if you need assistance with any security issues, please feel free to drop us a note or give us a call.

What is happening in the security world this month and how does it affect you? Let’s take a look at important October security updates from around the globe.

Microsoft

Another month, another set of patches from Microsoft. The one to watch for this month is MS11-076. This fixes a problem with Media Center that is being exploited all over the Internet. If you are using Microsoft technology to watch media, apply this patch as soon as you can. There is also an update for ISS that patches a hole attackers were exploiting to run code on your servers… so please remember to apply updates to your web servers. The last one I want to specifically point out is a patch to Forefront. This is yet another example of Microsoft’s security technologies REDUCING rather than improving protection. If you are using Microsoft technology as the only layer for protecting Microsoft technology, you might want to consider whether that is actually a reasonable defense.

There are other patches considered critical on your workstations, but not interesting in their own rights. By the time you read this, they should all have been patched. If they have not been, you should really ask yourself whether leaving your business unprotected for a week is really in your best interest.  If your workload is too high to get patches out in a reasonable amount of time, you may wish to consider technological assistance. While good patch management systems aren’t free, they often pay for themselves in short order.

Learn more.

Apple
While the news of Steve Jobs’ passing made front pages everywhere, the news about the recent set of updates did not. These updates cover both OSX and the Windows version of iTunes. Unlike other vendors who release patches on a fairly regular schedule, or at least, on an “as needed” basis, Apple likes to bundle theirs with new functionality. This is good in that it forces people to get the latest security patches to use new features, but bad in that the window of opportunity exposed to an attacker is much larger than it really should be. If you are using OSX, I strongly recommend you also run the free Sophos protection suite to protect yourself while Apple goes through their process.

I also want to point out the new Windows version of iTunes is NOT dependent on Quicktime. Once you update iTunes (if you use it), this would be a great time to remove Quicktime altogether. Odds are the Windows system will handle those files just fine, so all Quicktime is doing for you is providing another application for attackers to target.

Lastly, be aware that in some cases, the OSX update has caused problems for people applying them. Do a bit of research before you initiating the update so you know what to do if it doesn’t apply cleanly. Worst case, the friendly folks at the Apple store should be able to fix it for you.

Learn more.

Sony
I really wish I wasn’t still writing these. Sony was attacked in April of 2011 and the attacks seem to just keep coming.  In the most recent iteration, 93,000 PlayStation Network users were attacked (again).  Sony is showing improvement in how they are handling these sorts of incidents, but clearly, people are still getting through.

Fundamentally, even if Sony were perfect, there is a limit in what they can do to protect you. Remember, security systems only protect those that protect themselves. If you are sharing passwords between sites, using simple passwords or not reviewing your credit card statements, you are substantially raising the risk to yourself.

Learn more.

VMware
Another set of updates to VMware were released last week. Bear in mind that VMware ESX is an operating system on which other operating systems run, so you have to patch both levels. VMware is pretty good about testing their updates and releasing them in a reasonable time frame, but you have to help them help you by applying the patches when they come out. Far too many people take a “we’ll do it tomorrow” approach to what they consider “infrastructure” patches, which just makes them easier targets over time. If you’re not patching your VMware systems, switches, routers, firewalls, etc., your risk level is likely a lot higher than you think it is.

Learn more.

RSA
Details from the RSA attack earlier this year are starting to emerge.  We now know that there were two groups from a single nation state behind the attack. The fact it was two groups and not just one is fascinating to those of us that track those things, but entirely useless information to most of you, so I shan’t dwell upon it. Instead, consider the other piece of news. This attack was of the type we are increasingly seeing. The GOVERNMENT of a foreign country targets a COMPANY. Sure, you may feel like your technology and operation procedures are sufficient for blocking the idle attacker or the disgruntled employee, but are you prepared to take on a team of highly-skilled attackers employed by a foreign government and focused directly on you?

Most people aren’t.

Learn more.

Facebook
The fight between an Austrian student and Facebook has reached epic proportions and is now being followed very closely by privacy experts.  While the specific issues only seem to be legally actionable in the European Union, it is worth reviewing the specific complaints. If you care about your privacy, read the TWENTY-TWO complaints against Facebook and consider whether you trust your personal information with the social media giant.

Learn more.

What is happening in the security world this month and how does it affect you? Let’s take a look at important September security updates from around the globe.

Microsoft
This month, Microsoft’s patches came out early. While this sounds like a good thing, it was actually a mistake on Microsoft’s part. They “fixed” this by unpublishing the patches for a few days and then re-releasing them at the correct time. The problem with this is that cyber terrorists had advance notice to prepare and launch their attacks before the patches were again available.

The patches covered various issues in Windows and Office, but the one that has been causing the largest concern is MS11-071. Problems occur when a user opens a legitimate .rtf, .txt or .doc file that is in the same directory as a malicious dynamic link library (DLL). Though it is a trifle difficult to exploit – requiring a two-stage attack – attackers still utilize this hole, so patching is a priority.

If you have to prioritize, patch workstations first, with emphasis on those workstations that are running with local administrator rights.

Learn more.

Adobe
As you may have heard, Adobe took the “most attacked” badge away from Microsoft in early 2010. Adobe’s September update applies to both Reader and Acrobat, so if you read PDF’s, it’s update time! Failure to apply the updates will put your system at risk of malware, and since this sort of malware is often used to steal money out of your bank account, updating would be good.

The latest Adobe Reader, version X, is designed to be much more secure than earlier versions. If you are able to upgrade, you should do so. Be aware that by November, Adobe will officially stop supporting version 8 of their Reader and Acrobat software. This means if you’re not on versions 9 or X by the end of the year, you’re asking for trouble.

Learn more.

Oracle
Like Adobe, Oracle likes to release updates on a regular, quarterly schedule. Unlike Adobe, Oracle just violated their planned schedule with their CVE-2011-3192 patch. This is the same problem that affected Apache last month, but since Oracle embeds Apache into their products, it took a while longer to patch.

In short, the patching is easy and free. Your Oracle site will be down briefly and then quickly come back up. If you choose NOT to patch this one, an attacker can bring your site down any time they like.  At this point, we don’t think they can steal data from an unpatched system, however, being able to remotely kill your site is a form of power that many won’t be able to pass up.

Learn more.

Cisco
If you run Cisco Unified Service Monitor, Cisco Unified Operations Manager or CiscoWorks LAN Management, be aware that attackers can run whatever they like on your unpatched systems.  There is no workaround for this issue other than applying the patches… so apply them, please.

Learn more. Additional details.

DigiNotar
In case you hadn’t heard, the company DigiNotar was recently* broken into. This company generates SSL certificates, and due to the compromise, sites like Yahoo, Facebook, Twitter and Google are believed to be at risk. Sadly, the industry is at a point where there are few good solutions to this sort of problem. All major browsers released updates that blocked the DigiNotar certificates, using the principle that if we don’t know the certificates are good, they’re bad. However, that means that you have to apply browser updates to make them work.

The report by Fox-IT, the company that investigated the breach, shows some basic security precautions were missing:

- No centralized logging, thus breaches are difficult to identify and investigate
- Weak passwords, so attackers could get in more easily
- Unpatched servers, so attackers could get in more easily
- No antivirus protection, so even basic malware would assist in an attack

The big takeaway here is that the Internet is a shared infrastructure. If one big player falls down on the job like DigiNotar did, it puts us all at risk. The best we can do is keep our systems updated and use web filtering technologies that are SSL-aware so they can alert us if something changes. This is an area to watch, as these sorts of attacks are on the rise.

Learn more. Additional details.

* Reports vary as to whether the attacker got into DigiNotar in July 2011 or in May 2009… so things may have been bad for a long long time.

UPDATE: Due to this attack, the Dutch government has ordered DigiNotar to stop business and the company has declared bankruptcy

PCI
If you accept credit cards, you probably fall under PCI requirements. The big news this month is there are now standards for point-to-point encryption. There is a rumor that there will be a certification program soon, but as of right now, no product is certified. However, this is a good time to look at your network and consider whether everything is as protected as it should be.

Learn more. Detailed PCI specifications.

With luck, we’ll have certified devices to recommend in a few months. Until then, we’ll do our best to keep you informed.

FROGS
Despite the fact that attackers sometimes appear to move more quickly than we as defenders, I don’t like to end on a down note. Thus, enjoy a  recently-discovered frog that meows like a cat!