Join us online or at RJS Headquarters for a special security “Lunch & Learn.”

Date: Wednesday, November 9, 2011
Starting Time: 11:00 AM CST
Location: RJS Headquarters – Burnsville, MN  Map

Join us at RJS headquarters in Burnsville for a FREE RJS Security “Lunch & Learn.” This 90-minute event will provide attendees with a view of the current security landscape and best practice solutions to solve today’s hottest security issues.

You’ll learn advanced techniques on how to:
- Protect against data loss resulting from attacks or device theft
- Fight back against the malware tools hackers use to steal your data
- Keep your servers safe against network-based threats
- Safeguard your users from web-based attacks
- Eliminate application-level threats with patch management

Attendees will have a chance to win the new Amazon Fire!

Register for the onsite RJS Security Lunch & Learn.

Can’t join us in Burnsville? Register to view the live webcast.

What is happening in the security world this month and how does it affect you? Let’s take a look at important September security updates from around the globe.

Microsoft
This month, Microsoft’s patches came out early. While this sounds like a good thing, it was actually a mistake on Microsoft’s part. They “fixed” this by unpublishing the patches for a few days and then re-releasing them at the correct time. The problem with this is that cyber terrorists had advance notice to prepare and launch their attacks before the patches were again available.

The patches covered various issues in Windows and Office, but the one that has been causing the largest concern is MS11-071. Problems occur when a user opens a legitimate .rtf, .txt or .doc file that is in the same directory as a malicious dynamic link library (DLL). Though it is a trifle difficult to exploit – requiring a two-stage attack – attackers still utilize this hole, so patching is a priority.

If you have to prioritize, patch workstations first, with emphasis on those workstations that are running with local administrator rights.

Learn more.

Adobe
As you may have heard, Adobe took the “most attacked” badge away from Microsoft in early 2010. Adobe’s September update applies to both Reader and Acrobat, so if you read PDF’s, it’s update time! Failure to apply the updates will put your system at risk of malware, and since this sort of malware is often used to steal money out of your bank account, updating would be good.

The latest Adobe Reader, version X, is designed to be much more secure than earlier versions. If you are able to upgrade, you should do so. Be aware that by November, Adobe will officially stop supporting version 8 of their Reader and Acrobat software. This means if you’re not on versions 9 or X by the end of the year, you’re asking for trouble.

Learn more.

Oracle
Like Adobe, Oracle likes to release updates on a regular, quarterly schedule. Unlike Adobe, Oracle just violated their planned schedule with their CVE-2011-3192 patch. This is the same problem that affected Apache last month, but since Oracle embeds Apache into their products, it took a while longer to patch.

In short, the patching is easy and free. Your Oracle site will be down briefly and then quickly come back up. If you choose NOT to patch this one, an attacker can bring your site down any time they like.  At this point, we don’t think they can steal data from an unpatched system, however, being able to remotely kill your site is a form of power that many won’t be able to pass up.

Learn more.

Cisco
If you run Cisco Unified Service Monitor, Cisco Unified Operations Manager or CiscoWorks LAN Management, be aware that attackers can run whatever they like on your unpatched systems.  There is no workaround for this issue other than applying the patches… so apply them, please.

Learn more. Additional details.

DigiNotar
In case you hadn’t heard, the company DigiNotar was recently* broken into. This company generates SSL certificates, and due to the compromise, sites like Yahoo, Facebook, Twitter and Google are believed to be at risk. Sadly, the industry is at a point where there are few good solutions to this sort of problem. All major browsers released updates that blocked the DigiNotar certificates, using the principle that if we don’t know the certificates are good, they’re bad. However, that means that you have to apply browser updates to make them work.

The report by Fox-IT, the company that investigated the breach, shows some basic security precautions were missing:

- No centralized logging, thus breaches are difficult to identify and investigate
- Weak passwords, so attackers could get in more easily
- Unpatched servers, so attackers could get in more easily
- No antivirus protection, so even basic malware would assist in an attack

The big takeaway here is that the Internet is a shared infrastructure. If one big player falls down on the job like DigiNotar did, it puts us all at risk. The best we can do is keep our systems updated and use web filtering technologies that are SSL-aware so they can alert us if something changes. This is an area to watch, as these sorts of attacks are on the rise.

Learn more. Additional details.

* Reports vary as to whether the attacker got into DigiNotar in July 2011 or in May 2009… so things may have been bad for a long long time.

UPDATE: Due to this attack, the Dutch government has ordered DigiNotar to stop business and the company has declared bankruptcy

PCI
If you accept credit cards, you probably fall under PCI requirements. The big news this month is there are now standards for point-to-point encryption. There is a rumor that there will be a certification program soon, but as of right now, no product is certified. However, this is a good time to look at your network and consider whether everything is as protected as it should be.

Learn more. Detailed PCI specifications.

With luck, we’ll have certified devices to recommend in a few months. Until then, we’ll do our best to keep you informed.

FROGS
Despite the fact that attackers sometimes appear to move more quickly than we as defenders, I don’t like to end on a down note. Thus, enjoy a  recently-discovered frog that meows like a cat!

I asked the following question of RJS employees this morning for a quick reaction:

“Do you think it is lawful for the United States court system to force you into revealing the password of your encrypted laptop so they can decrypt and view the information within it?”

Yes = 2

No = 3

Depends = 11

As evident by the 11 “depends,” this issue isn’t necessarily black and white. Even our “yes” and “no” responses contained conditions. Interestingly, this very scenario is currently being played out in our legal system with possible implications for a precedent to be set.

CNET.com posted an article this week discussing personal rights and whether the United States Department of Justice can force you to decrypt your hard drive so the information coded within could be used against you in a court of law.

The case involves a laptop seized during the investigation of a mortgage scam. During the police raid, Ramona Fricosu’s laptop was taken by authorities, but the information they sought within the computer was encrypted. The federal judge ordered the defendant to enter the passphrase so the information could be decoded. She refused. Because of her rejection, the judge now has to make a decision on whether she is protected under the United States Constitution – a ruling that could create significant legal precedence.  

To date, no appeals court has ruled as to whether a request for an encryption passphrase would be legal under the Fifth Amendment of the United States Constitution. The Fifth Amendment broadly protects an American’s right to remain silent. As Wikipedia appropriately writes, “To ‘plead the Fifth’ is to refuse to answer a question because the response could provide self-incriminating evidence of an illegal act punishable by fines, penalties or forfeiture.” This surely could be the case for Fricosu and her seized laptop.

But here’s the sticky part.

Prosecutors are not demanding her password phrase; they’re demanding she enter it so the data becomes decrypted. She is not being required to point out what may be incriminating. Precedent has already been set for forcing defendants to hand over keys to safes, vehicles, etc., and prosecutors assert the issue with Fricosu’s laptop is no different. According to them, she is not being forced to self-incriminate. She is merely unlocking the safe to the data store.

What do you think? With this case in mind, should the legal system be able to force you into providing the key to unlocking encrypted information stored on your personal computer?

More food for thought:
US laws regarding encryption
UK laws regarding encryption

April 22^nd
Sony’s PlayStation Network (PSN) goes offline without warning. Days go by and 77 million Sony PSN customers are completely in the dark. The internet explodes with wild speculation as to what is going on.

April 26^th
Sony posts in their blog that the service outage is an intentional response to a severe data breach affecting all 77 million PSN users. Sony posts contact information for Experian, Equifax and TransUnion and urges PSN users to monitor their credit reports and to be wary of email, telephone and postal scams.

April 27^th
Sony updates their blog with further details regarding the breach. They specifically note that all names, birthdates, passwords, addresses and challenge questions used to reset passwords were stored in an UNENCRYPTED database. This database was protected by a “very sophisticated security system,” yet apparently not sophisticated enough in that it was UNENCRYPTED and accessed by a third party. 

They also assert that credit card information was stored in a separate encrypted database, yet no details as to the encryption method are given. Sony warns that despite the fact the payment information was encrypted, a possibility exists it may have been compromised, as well. This leads users to believe that Sony’s encryption was a similarly “very sophisticated security system” and are assuming the worst.

May 1^st
Sony publicly apologizes and admits that 10 million customers may have had their credit card details exposed.

Sony does pass on a bit of good news. Passwords within the compromised files were hashed. 

May 2^nd
Sony takes down their other service offerings and admits the intrusion was deeper than they first thought and appears to have also affected the Sony Online Entertainment portal as well.

May 3^rd
Sony announces in a press release that in addition to the 77 million records lost on PSN, another 24.6 million records were stolen from their Sony Online Entertainment division, bringing the grand total to 101.6 million customer records. Sony outlined the details of what the stolen records contained: name, address, email address, birthdate, gender, phone number, login name and hashed password. They also stated that 10,700 direct debit records for Sony customers from Austria, Germany, the Netherlands and Spain had their bank account numbers, customer name, account name and customer address stolen.

So if you are a Sony customer, what should you do?

1)  Contact your credit card company and tell them you suspect your card has been stolen. They will shut off your credit card and issue you a new one with a different number on it.

2)  Watch your email closely for scam messages asking you to verify account and payment information. Sony has posted in their blog that they will never ask for credit card details. An email doing so is most likely a phishing scheme.

3)  Change your password and password reset challenge questions for other online services you use that employ the same password and questions as your PSN account.

4)  Keep a close eye on your credit report. The encrypted data that was stolen from PSN has enough information to open a credit card in your name.

Final Thoughts
The loss of 45.6 million records cost TJ Maxx a record $1.7 billion in legal costs, not including revenue from customers who vowed to never shop there again. Sony has just broken the world record for the largest data breach in history with 101.6 million records. I wonder what this will cost Sony when the smoke clears?