Although we’ve not heard of anything specific, with the demise of support for Windows 7 on 1/14/2020, don’t be surprised if nefarious scoundrels attempt to deceive users into surrendering personal data or even control of their computers with promises of cheap or free upgrades.

Especially in the consumer market, users may be reluctant or delinquent in upgrading their older equipment and it wouldn’t be surprising for unsuspecting victims to be accosted by web-based attacks threatening dire consequences unless they “upgrade immediately!”

I wouldn’t be surprised if these attacks also come in the form of robo-calls with outlandish claims that an outdated computer has been “detected” and is “compromising other systems.” While these types of tech support scam phone calls are not new, the demise of Windows 7 support may give con artists leverage they can use to social engineer their way into users’ systems or accounts.

WRITING OUT “2020”

I recently heard of a warning regarding the new year, 2020. If you’re used to writing out a date and abbreviating the year using the final 2 digits, like 01/05/19, you might consider not abbreviating the year in 2020.

While it’s not as common to use long hand to write out a date, this year provides a unique opportunity for documents to be easily forged. A date written as 1/5/20 can be easily modified by adding digits to the end making the date either earlier or later than it was intended.

Texas DIR and TAMU System help promote awareness through various programs. DIR recommends review of the NICCS content noted here, sponsored by the Department of Homeland Security:

https://niccs.us-cert.gov/national-cybersecurity-awareness-month-2019

With the January 3rd announcement of the side-channel MELTDOWN/SPECTRE vulnerabilities and resulting impact on billions of devices it seems IT Security is 35 points behind at the start of a 4th quarter and the other team knows we are throwing long on every play.  Clearly, the understanding that everyone associated with technology – from processor engineer to student worker racing to a workstation with a browser pop-up announcing the user has “won” an Amazon GiftCard – now knows they have a long-term role in IT Security.

We aren’t in the 4th quarter!

IT security takes a game plan.  In the frenzy of announcement, we sometimes lose sight of the greatest risks.  Let’s take MELTDOWN.  It is not in the wild.  It would take intrusive software on the device to exploit this vulnerability that security researchers discovered.  It has even been said it requires a statistical probability either over a long period of time or across many devices to have successful mapping memory from the vulnerability and then plant an exploit.   Guess what?  It is even harder when a user reboots 🙂 The NIST National Vulnerability Database rate these as a medium risk vulnerability with a low exploitability score.  Contrast that with ransomware that are high risk and have double the exploitability.

So what’s the game plan?  If I was the lone IT support with 300 end-user devices and a handful of servers I would expect to spend 30 hours a month on IT Security and compliance.  Some of this time each month is not just patching, scanning, fighting AV and packet-sniffing alerts but educating users THAT REMAINS THE GREATEST RISK, increasing security via automation, and  getting rid of legacy security “holes” (like too many local administrators and old OSes).  We’re not going to lose this game!  We are only at half-time and while a little behind we have a good game plan of USER EDUCATION, vulnerability management, patch management, more security automation, and our all-SEC running back.

So what to do about MELTDOWN/SPECTRE?  Intel has said if the OS is patched MELTDOWN does not really require firmware.   Of the two variants of SPECTRE, both INTEL and flip-flopping AMD have announced they still must complete a firmware that addresses one of the variants.  It will be weeks before that firmware is out.  Chrome is about to release a browser version that purposely slows down direct cache processing to close the timing hole that can be exploited via the Chrome browser.   Part of risk management is knowing your high value targets and that means the first thing to patch are servers with lots of credentials in memory and in February when there is a long-field-tested stable firmware test the firmware on one low-impact system and then apply the firmware to high-value targets.

There is a lot of information on these exploits but one of the best reference is Intel itself.   At the below link INTEL provides both what they and other vendors from Acer as an OEM to Microsoft to Ubuntu are doing.  Now let’s go out there on the field and take the lead!

Intel Side-Channel Updates

 

Email is a hacker’s best friend!

Some of us probably use up to a handful of different mail clients on different platforms at home, at work, and in our mobile lives.  Counting different product versions still in use, there are almost 100 potential mainstream mail clients that might be used.  That is why it is not surprising that a security researcher recently found over 30 mail clients that had a vulnerability he dubbed Mailsploit.  The researcher used the extension of the ASCII coding scheme that the email wrapper can utilize to instead spoof header info, circumvent anti-spoofing software, and introduce code injection into certain lesser-known mail clients.

This is why it is extremely important if users have a mail client of personal preference due to features or taste, they recognize they have the possibility of being spoofed.  If they choose to use a value-added mail client/app they should be aware that they are accepting risk.  Outlook, Outlook Web Access, Gmail do not have the Mailsploit vulnerability risk, but the Mailsploit client list shared by the researcher also points out what clients/apps can be exploited.  Some of these are very mainstream clients on millions of devices.  Most of us think very little about their mail client on a daily basis, as an example many Outlook users believe they can easily recall messages via the Recall function.  They have no concept of both the Exchange Store dependency or the fact the recipients have to be using Outlook too on the function for a successful recall of an email; thus many recalled messages thought to be recalled are never really recalled.   How could a user be expected to understand what happens when an email header is unwrapped?

Not only is email is a hacker’s best friend but at phishing time email is a very loyal companion!

Phishing has overtaken brute force as the preferred method to get credentials.  The sophistication of some phishing attacks’ impersonation of legitimacy is quite astonishing.  As most updated browsers now alert users to sites that are “Not secure” – in other words sites that do not use https – the Phishers have been moving their attack servers to SSL_certificated servers.   PhishLabs reports a quarter of all attacks now link to a site that is https with a valid certificate and will appear in the browser icon as secure (green lock “Secure” in Chrome).   What compounds the problems is the phishers also make sure the certificated site’s URL appears legitimate at a glance:

  https://facebook.com.fb.net

As a point of education, go to PhishTank and — if you have an hour — page through all the reported phishing sites  detected in a single hour.   It may take you an hour to do an hour of phishing sites reported– it is staggering.   Take time to click a few that seem of interest by their name that will give you a safe framed look and you can safely see how legitimate the phishers’ credential capture entry screens appear.   Many security firms have pointed out training on phishing is most effective when users are sent emails that measure whether the targeted users click a link in an internal potential phishing link.  An IT-prepared unanticipated pseudo-phish email to judge users needing training on phishing is worth a dozen abstract warnings.  When it comes to changing phishing behavior, training that help users learn by doing has been measured as far more effective than just getting a “be aware …” email.

20th century folks use to worry about their snail mail being stolen and getting a paycheck or compromising their accounts, in the 21st century the worry is you might click the email link that compromises your life!

So as we get those New Year’s emails from old acquaintances – hopefully not forgotten – or what looks like a Facebook email reminder on a holiday party photo you are tagged in we really need to know what we’re clicking on.  Or better yet your Security Team hopes you enjoy the holidays with as little work clicking as absolutely necessary!

In the last seven days seeing another 200 patches from Google, Mozilla, Adobe, and Microsoft caused a gasp!

Lone SysAdmins have a tough job.  They have always had among their responsibilities: hardware, software, user profiles, networking, failover, backup, disaster recovery, and very often web services.  However, in the last decade SysAdmins have seen increased duties in virtualization, security monitoring, compliance, and containing the constantly growing fungal spread of 600 million unique malwares.

A decade ago a SysAdmin might have occasionally spent time in some security prevention duties: firewall ports, AV, adware updates, web-filtering, and fighting spam.   In many cases some of these duties were done quite similarly between servers and end-user devices. A decade ago, the SysAdmin might have put up a Microsoft WSUS server and let it run itself mainly for OS updates.   One concern a decade ago was brute force attacks and the more advanced SysAdmin might have talked about and put in place intrusion detection.

That was a decade ago.  There are days brute force attacks look like the good old days!

Today, the SysAdmin has the additional duties of running a true patch management program that includes promptly looking for failures of patch application and applies across all software products, dealing with multiple browsers and their extensions on the same device, intrusion prevention knowing that only detecting an intrusion makes for a bad week, dealing with unexpected configuration vulnerabilities that a vulnerability scanner – either active or passive – detects, responding to different tool security alerts, APT monitoring, active threat capture, advanced malware detection software in case of an infiltration … and … and … and ….

System management now includes more formalized change management, patch management, vulnerability management, alert management, threat management, and compliance management.  Among the challenges this brings (besides being spread as thin as a dragonfly’s wings) are new tools “crying wolf” far too often on normal operations, alert fatigue and the potential it brings to miss a critical alert,  and finally working less and less with the technology that provides a solution to the users.  How does a SysAdmin do it who is dizzy from spinning a chair around from monitor to monitor?

The ordinary struggle and to struggle_with_the_ordinary both take more than perseverance … it takes a plan.  A SysAdmin walking into the day unprepared might meet the definition of insanity .

So how does a SysAdmin approach it? Now add  “time management” and working on SysAdmin automation in addition to all those other SysAdmin-managements.   Seriously!

Let a dev/ops solution take on some of the insanity and with the rest that take “eyeball-time” schedule recurring appointments on the calendar.  “Sorry, I can’t meet with you right now, I have an appointment at 10a that must be completed by 11a.  I’ll look you up afterwards.”  Scheduled duties are completed better than unscheduled ones.  Put on your schedule:

1) a recurring weekly time to advance your automation of some of the duties

2) a daily monitoring duties all at once into one daily recurring appointment with yourself:  was there a daily backup failure? why did the performance alert go off on GHOST-IN-THEMACHINE_12?  what’s the AV console say? Separate the nuisance alerts from the ones worthy of your time …

3) schedule separate recurring times to review those Sysadmin duties that really take diligence and patience and your mind.   You know the ones where you have to backtrack through a dozen alerted IPs to see if there really is an issue, a plan to virtualize more of your infrastructure, planning some major major OS upgrades you’ve been putting off.

Systematizing a SysAdmin might be the most unrealistic duty of all but it is key to the administrative and security requirements of the current times … and it might keep those dragonfly wings beating.

Happy Thanksgiving from your Security Team that is very thankful we get to work with you!