Texas A&M AgriLife IT Security
Texas A&M AgriLife IT SecurityLatest IT news & tips to keep your computer safe

September 2017 Security Considerations

by

In the last three months the three most-reported international security incidents have been always attached to a lack of security patching.  Equifax is claiming an unpatched Apache Struts security vulnerability aided hackers.  The Equifax incident site states, “The attack vector used in this incident occurred through  a Vulnerability in Apache Struts (CVE-2017-5638) …,” while others are pointing to a variety of other Equifax security weaknesses including use of admin:admin on web facing systems and also storing framework keys in a web facing system. Let’s only concentrate on security patching. 

This week and by next Tuesday over 200 security patches will be released by Microsoft, Apple, Adobe, VMWare, and Ubuntu. The first three have cross-pollinating products with patches released this week (Office for Mac, iTunes for Windows, Reader for everything), then there are those omni-platform Google Chrome surreptitious ones.  The steps even with a patch management product require constant oversight and monitoring.  When have you last worked your OU’s WSUS Update Status Summary report?  The first week of a month before “Patch Tuesday” is a good time to review for devices that are detected as needing many missing old patches.  Patching is a process and not a prayer. Use Microsoft Baseline Software Analyzer on devices that have consistent issues and it might tell you clearly what is missing.  The SANS organization has said they never do a customer consulting review and not find missing critical Microsoft patches.  Never!

Following a schedule of patching work can aid small shops in their work each month like:

  • First week – audit non-domain systems patch status
  • Second and Third weeks – software vendor new monthly patching
  • Fourth week -audit domain joined systems patch status
  • Fifth week (that some months have) – catch your breath. 

For your third party patch management product the steps always should be DEPLOY, VALIDATE, REPORT, MONTHLY PATCH AUDIT.   Third party products normally  have good reporting summaries and if you can report by domain-joined and non-domain joined then all the better to segment validation during the month.  But the key is taking the reporting and prioritizing to resolve the critical missing third party software security updates first.

Two final items:

  1. Ubuntu tcpdump vulnerability update can be found at  https://usn.ubuntu.com/usn/usn-3415-1/
  2. Apache Struts developers who had released a security patch for the Equifax-cited CVE on March 7, 2017 published sound advice this week for any security patching approach:

Our general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is as follows:

1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.

2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

3. Any complex software contains flaws. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.

4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources. 

5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.

Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.

For the Apache Struts Project Management Committee,

René Gielen
Vice President, Apache Struts 

Patch on AgriLife!

August 2017 Security Considerations

by

At the beginning of this month, the twitterverse was atwitter about a published paper where researchers using stickers made a self-driving auto’s vision system believe a stop sign was a 45 MPH sign.  All the researchers did was strategically place some short sticky strips on a stop sign.  A duct tape hack!   Sometimes it is hard to get clarity in what is really important, what is a true IT security risk, and what is an IT professional’s role in protecting their customers.  How can we protect our world when someone can take something as simple as duct tape and crash it?

That is when we go back to IT fundamentals: provision, protection, proactivity.

Provision:  knowing what you have, where it is, and who has access to it.  Portable devices are only a problem if you do not have automation to support them when they, at long last, do again show up on your subnet.   If you have to manually patch a laptop that has been in the field for three months before letting it on the network we have a problem (and you do too).

But what about user provision?  It’s also important you always have the business owner authorize access via eform, email, signature … to any access to anything … always.  IT provides the access to a service, IT does not authorize it.

Protection: this week 185  software patches were released by Adobe, Microsoft, Mozilla for Firefox, Ubuntu, VMWARE NSX.  Security patching is the basic protection, but so is measurement of the protections.   Echoing once more this is why automation of the tools are so important.  Let automation identify those exceptions that arise for numerous reasons that did not accept a security patch.  IT Security not only recommends you apply all Critical, High, Urgent, and Important patches (some vendors are not following the agreed upon vulnerability model) but in this day and age you must use an automated process.  The patch links are below

Adobe Patches

Firefox Patches

Microsoft Security Updates

Ubuntu Security Notices

VMWARE NSX Update

But what about user protection?  An applied computer policy/profile is key to insuring the most basic protection of all to a user: the password.  Security would recommend if you find a device on the wired network that is not using central authentication and does not have a password meeting the Password Authentication SAP, then – unless an approved written exception exists for that device – that you have the user immediately change the password to meet the SAP or take the device off the network.

Proactivity: the key to being proactive is knowing both our risks and our threats.  When our gas/charge on our automobile hovers near “E” we know what to do – pull into/plug into a service station.  The same is true of IT resources.  Raise the flag within your department if you do not have the time to meet the most basic functions of the job – one of those is security.   One of the greatest risks to a well run and protected IT operation is to stay silent when an IT professional knows there are not enough hours in the day to do all the work.  Silence is a large risk to IT all over the world today.  Many XP devices were not deprecated from NotPetya sites because they did not have the IT human resource to upgrade.   Not having automation to insure there is time to work on a wide variety of duties is not an excuse to forego performing those duties.  Doing nothing about a losing proposition is not a strategy — it is a failure.

But what about user proactivity? To be proactive with customers is simple … communicate with your customers.  Book an appointment on your calendar for one hour a week to do nothing more than communicate with your customers: email them them hot IT topics, tell them your expectations, or use part of that weekly hour appointment to visit the most demanding customers by phone or in person.

Provide, protect, and be proactive.  Stick with the fundamentals and don’t let anyone duct tape your daily hard-won efforts!   The Security Team sincerely appreciates it.

 

July 2017 Security Considerations

by

MICROSOFT JULY SECURITY UPDATES

Microsoft released 54 security updates on July 11, 2017: 19 critical, 32 important, and 3 moderate across most products.  Remote Code Execution (RCE) especially in Edge and Internet Explorer are prevalent and 33 of the Vulnerabilities relate to Edge and 14 to Internet Explorer.  Edge scripting engine for JavaScript had numerous corruption vulnerability updates.  There are important Office updates for both corruption and remote code execution vulnerabilities.  Two other critical updates to be very aware of due to the vulnerability scope might be from client or services systems you do not directly control but can establish elevated credentials either locally or on the domain are:

  • A remote code execution vulnerability (CVE-2017-8589) exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  This vulnerability goes across all Windows OSes.
  • CVE-2017-8563 is an elevation of privilege vulnerability that exists in Microsoft Windows when Kerberos falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol.  Those of you that use RDP with NTLM is vulnerable and specifically is one of the possibilities the Google researchers found.  Specifically those systems supporting the RDP connection need to be patched.  This vulnerability once more reveals the necessity of using 2FA (Duo) utilizing elevated privileges.

Agrilife Security recommends all Critical and Important updates be deployed immediately.

 

ADOBE JULY SECURITY UPDATES AND FLASH

Here is Adobe link for those with non-Microsoft systems to patch: https://helpx.adobe.com/security.html    It is important topnote Adobe Update APSB17-21 across Windows, Mac, and Linux OSes and Chrome, IE, and Edge browsers addresses a memory corruption vulnerability that can lead to remote code execution and really needs to be addressed quickly.   Some Security researchers are recommending remove the Flash Player plug-in from browsers or at the minimum implement “click-to-play” in Chrome.   Flash continues to be a long-running easily exploitable software.  To test click-to-play, enabling this feature is described at this help from Google Support:

https://support.google.com/chrome/answer/142064?hl=en

It is worth consideration as an additional security precaution.

Agrilife Security recommends all Adobe Critical and Important updates be deployed immediately.

 

JULY 20 UPDATES APPLE and ORACLE

It has been a busy week for Apple and Oracle.  Apple released updates to MacOS 10.10, 10.11, and 10.12.  They also released security updates in iOS 10.3.3 that were interesting for the level of vulnerabilities being corrected.  Info can be found at:

iOS 10.3.3 Security Updates

Oracle had their first major security updates across dozens of products since April but for most the updates to Java and MySQL will be of most interest.  The link below shows Criticals that need to be applied immediately:

ORACLE Critical Updates

There was  a CISCO WebEx security update released at beginning of week but it was for a very backlevel version of the WebEx plug-in/add-in/Chrome extension.  The method of updating will be dependent upon browser being used.

 

 

 

 

 

 

June 2017 Security Considerations

by

PHISHING, JUNE MICROSOFT UPDATE SUMMARY, JUNE ADOBE UPDATE SUMMARY

PHISHING BAIT IS GETTING BETTER AND BETTER AND THE HOOK SETS DEEPER

    Phishing emails coming in with subjects like “Invoice” or “Paycheck” or “FedEx” or “UPS” or “Your Upcoming Flight” continue to evolve.  Based on the look of the email they are sometimes indistinguishable from a real email – even from an internal Texas A&M Department – without investigating the email header or route.  The subject is the bait, the key is to avoid the hook – normally either an attached file or an imbedded link.  There is now even one phishing hook that is a ppt and if the user is running an Office version under Office 2013 then merely by hovering over the ppt in Outlook invokes Office macros to execute a malicious Powershell script.  There are now phishing double extension files such as *.doc.html . Clever, huh?
    How can you protect your userbase?  First, for user email-file-attachment-activity a key is instead use a shared file system and either having users use Syncplicity or Filex or SharePoint or using built-in folder sharing in applications like LaserFiche.  The user can either let the app send the link email notice or the sender only drops an email to the recipient mentioning a file should be available to them. Slowly, the users will be suspicious of unrecognized links or attachments.   Second, protecting the innocent victim from taking a malicious hook sometimes requires their software is fully patched like in the example of a ppt hover invoking a Powershell script.   That protection is your job that leads us to …

MICROSOFT JUNE 2017 UPDATES

    Microsoft doubled their May vulnerability updates and most are around Remote Code Execution vulnerabilities and Security strongly recommends insuring all Critical and Important patches are applied on these products:

    • Microsoft Edge Browser
    • Microsoft Windows Server and Workstation versions
    • Microsoft Office – many many “Important” patches to apply here
    • Microsoft Scripting Engine – that does the VB Script and javascript processing while browsing
    • Windows OLE – a new entry into the RCE vulnerability list
    • Microsoft GDI and Uniscribe engines
    • Adobe Flash Player – Windows PDF processor
    • Microsoft SharePoint
    • Windows Search – any SMB connection can invoke this vulnerability without authentication
    • Internet Explorer

ADOBE JUNE 2017 UPDATES

    • Adobe released this Critical Adobe Flash Update for a RCE vulnerability beyond Windows OSes including Mac, Linux, and Chrome OS.  That update can be found at:

https://helpx.adobe.com/security/products/flash-player/apsb17-17.html

    • As mentioned in past months those that have these OSes above (and AgriLife does have all three of those non-Windows OSes) please apply this update and check the Adobe Security Incident Response Site monthly at:

https://blogs.adobe.com/psirt/

 

May 2017 Security Considerations

by

WANNACRY

The May 12th WannaCry ransomware attack proves the importance of:

a) applying Microsoft Critical Security updates quickly
b) not having deprecated and unsupported OSes
c) the importance to have a good backup and DR plan in place for any Mission Critical systems.

Here are the Microsoft Security Update considerations:

1. Do not assume MS WSUS, Microsoft automatic updates, or a third party patching tool never encounter an error. The most common are powered off devices, devices that have been off the network a long time or are on the network too brief for an update, or devices that encounter a patch requirement for a variety of reasons.
2. You must check your patching product for errors and resolve those errors.
3. Maintain a list of errors/exclusions you patch manually and see if there is a pattern.

Off-network deprecated and unsupported OSes used still need attention:

1. Every aspect of TAMU and AgriLIfe IT Security recommend you update older OSes even on non-networked XPs.
2. If an unsupported OS such as XP must be utilized as a directly attached system controller and/or data acquisition device then you should password-protect the BIOS and disable the NIC(s) and any external connection not in use (WiFi, Bluetooth – force these devices to not NOT use Bluetooth keyboards or mice, unused USB ports). In this manner an XP cannot –even for a short time – be an attack vector by mistake.

Finally, a DR plan is only as good as the testing of it. I have never tested a DR plan and not encountered something unexpected. A backup is only as good as the regular monitoring and at least annual testing of a restoration and reliable current backups are a better friend than bitcoin in a successful ransomware attack.

MICROSOFT MAY SECURITY UPDATES

Please validate the March 2017 Microsoft Security Update MS-17-010 that was emphasized in the March edition of this blog is applied to all Windows OS versions.
For May, Adobe also released patches but no new ones on the “All Platforms”.

I will point out MS published a WINDOWS Defender/Malware Engine “Advisory” on May 8th and then an out-of-band fix by midnight for Remote Code Execution. Hopefully everyone is running SOPHOS! If running a MS security product using the MS malware engine see this: https://technet.microsoft.com/en-us/library/security/4022344

For the May MICROSOFT Security update those still not using an auto-patching tool I point you to the AgriLife Security blog from April 2017 if you are still having trouble navigating the new Microsoft Security Tech Center approach.

MICROSOFT May 2017 Patch Summary

Operating System
• Windows 7: 26 vulnerabilities of which 4 are rated critical, and 22 important
• Windows 8.1: 22 vulnerabilities of which 4 are rated critical, and the remaining 18 important
• Windows RT 8.1: 20 vulnerabilities of which 4 are rated critical, and 16 important
• Windows 10 version 1703: 22 vulnerabilities of which four are rated critical, and 16 important.
Windows Server products:
• Windows Server 2008: 27 vulnerabilities, of which 4 are rated critical, and 23 important
• Windows Server 2008 R2: 27 vulnerabilities, of which 4 are rated critical, and 23 important
• Windows Server 2012 and 2012 R2: 24 vulnerabilities, of which 4 are rated critical and 20 important
• Windows Server 2016: 23 vulnerabilities of which 4 are rated critical, and 19 important
Other Microsoft Products
• Internet Explorer 11: 10 vulnerabilities, 2 critical, 6 important, 2 moderate
• Microsoft Edge: 28 vulnerabilities, 16 critical, the rest important
• Microsoft Office: varies depending on version.

Security recommends applying all Critical and Important fixes.

SAMBA

A minority of AgriLIfe areas run SAMBA and if you have eliminated MS SMB V1 (CIFS) as recommended then you should have no concerns with WannaCry here. SAMBA is currently distributing 4.6.3 and really it defaulted to newer versions of SMB after the 3.6 release many years ago.

However, when it comes to ransomware sysadmins often forget that a Windows user with a share could encrypt files on a LINUX /home directory. Depending on the distro of Linux it could be a new version but very confusing to users. Multiple researchers have proven this.

Once more backups are always important … as is SAMBA maintenance. Below is the link to SAMBA’s Security Updates.

SAMBA Security Updates