Tag Archives: Blog Post Shout Out

Blog Post Shout Out: June 2018

A number of varied security issues have come to my attention this week which I wanted to keep you informed of. I will provide a respectable shout out to the following sources:

Apple Encrypted Drive Information Disclosure:
At this time Apple macOS has an information disclosure vulnerability that affects encrypted drives in general (encrypted Apple HFS+ / APFS+ and VeraCrypt) that provide the potential for an attacker to obtain details of the files an encrypted hard drive is storing.

This vulnerability originates from the quick look feature of macOS; which allows a user to preview photos, files and folders quickly without having to open them. This feature stores the thumbnails (defined) of the files centrally in a non-encrypted area of the hard disk. This issue can also occur when a USB memory drive is inserted; the same feature stores thumbnails on the external drive and on the boot drive of the macOS system.

If you use an encrypted hard disk or value your privacy when using external drives, please run the following command documented at the end of the following news article after you have viewed sensitive info and want to clear that history/activity:

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives: BleepingComputer by Catalin Cimpanu

This suggestion is a workaround until (and if) Apple patches this.

=================
Yubico WebUSB Bypass:
The two-factor authentication/secure login vendor, Yubico has published a security advisory for the use of their YubiKeys. The vulnerability does not reside within the hardware keys themselves but in the authentication steps a web browser (e.g. Google Chrome) uses to authenticate an individual.

In summary, if you are using Google Chrome, please ensure it is updated to version 67 or later and follow the additional suggestion from Yubico in their security advisory:

Security Advisory 2018-03-02 – WebUSB Bypass of U2F Phishing Protection: Yubico

Windows 10 Persistent Malware:
The security vendor BitDefender have published a 104 page report detailing a spyware (defined) which uses rootkit functionality (defined). This malware is noteworthy due to its longevity (dating back to 2012) and it’s ability to install even on modern versions of Windows e.g. Windows 10:

Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation: BitDefenders Labs

=================
On a side note I am not too surprised this infection can persist on Windows 10. If a user is tricked into running malware e.g. by clicking a link or opening an attachment either of which can be contained in  a phishing (defined) email or an even more convincing spear phishing (defined) email from an organization or colleague you trust; strong defences won’t always keep you from becoming infected.

The BitDefender report can be downloaded from the above link (it does not request any personal information).

=================
The following news article links to 2 detailed but still easy to follow removal guides. If you are experiencing un-wanted adverts showing within websites that don’t usually show them (even though you are using an ad blocker) or are experiencing re-directs namely you wish to visit website A but are actually sent to website B, please follow these guides to remove this malware:

Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US: BleepingComputer: by Catalin Cimpanu
=================

Thank you.

Blog Post Shout Out: Security Advice for Summer Holidays/Travel

With the Summer holiday season approaching I wanted to provide a respectful shout out to the following security tips/articles while travelling. Even when we are out of the office and our homes; we should maintain vigilance to stay secure and safe.

Many of these tips you may already be using and many of them are simple to use but can make a real difference to ensure your time away runs smoothly and with no unwanted surprises when you return back home:

Tips such as being mindful before using a public charging station I have discussed before but these series of tips group them together for ease of use and convenience.

Some of the most important tips are:

  • Ensuring your portable devices are encrypted
  • Portable devise are carried with you or safely locked away
  • Ensure you changes passwords (from a system you own) after you have used a publically available computer
  • Enabling two factor authentication (more on this below)
  • Not making it obvious you have expensive devices with you (the tips from the US CERT below will clarify this advice)

Securing Mobile Devices During Summer Travel: US CERT
Holiday Traveling with Personal Internet-Enabled Devices: US CERT
Protecting Portable Devices: Physical Security: US CERT
International Mobile Safety Tips: US CERT
Cybersecurity for Electronic Devices: US CERT

====================
How to set up 2FA on eBay – go do it now!: Sophos Naked Security blog: by Maria Varmazis
Enabling 2FA for any online account is a great security measure and will be particularly useful when travelling to provide that every layer of security.
====================

How digital spring cleaning can protect your personal information: WMBF News: Christina Lob
Digital spring cleaning involves (among other steps) removing apps from your smartphones/tablets/computer systems that you don’t use. This enhances security since there will be less for attackers to target in terms of software vulnerabilities (reduced attack surface (defined) and the personal information these apps may store or provide access to. It will make it easier for you to maintain the device while travelling since there will fewer apps to update and the device will have more free space should you need it.

When you are back home; this spring cleaning advices further steps e.g. regularly checking your bank account and credit cards for signs of unusual or unknown transactions and reporting them as soon as possible. This is a good practice just in case any of your cards were unknowingly compromised while abroad.

For the final tips this article describes; I wanted to provide clarification:

Clearing out email inboxes is a good idea but will only enhance security if your account was compromised or you are being shoulder surfed by those around you; if you are following password and email best practices this shouldn’t happen.

Its advice on passwords could be better (this advice from Sophos is more secure) and emptying recycle bins while useful doesn’t truly delete data beyond recovery.

Thank you.

Blog Post Shout Out: Cisco IOS XE and Drupal Security Updates

I wish to provide a respectful shout to the following security advisories and news articles for their coverage of critical security vulnerabilities within Cisco IOS XE and the Drupal CMS (defined) released on the 28th and 29th of March respectively.

The backdoor (defined) account being remediated within the Cisco IOS XE update could have allowed an unauthenticated attack to remotely access the Cisco router or an affected switch and carry out any action allowed by privilege level 15

Meanwhile the Drupal vulnerability (dubbed “Drupalgeddon2”) is rated as highly critical since the vulnerability is both remotely exploitable and easy for an attacker to leverage allowing the attacker to carry out any action they choose.

Please follow the advice within the below linked to advisories and update any affected installations of these products that your organisation may have:

March 2018 Semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication

Cisco Removes Backdoor Account from IOS XE Software (includes mitigations if patching is not possible) by Catalin Cimpanu (Bleeping Computer)

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002

Drupal Issues Highly Critical Patch: Over 1m Sites Vulnerable by Tom Spring (Kaspersky ThreatPost)

Thank you.

Blog Post Shout Out: Meltdown , Spectre Article and WPA3

I wish to provide a respectful shout out to the following articles for providing useful information on emerging vulnerabilities and technologies.

With the large media coverage of the Meltdown and Spectre CPU hardware vulnerabilities (including this blog!) the following Ars Technica article is particularly useful since it describes in detail (but still in an easy to understand manner) how two CPU instructions present in modern CPUs help to alleviate the performance impact.

The article also describes (all in one place) the 3 mitigations Intel have added to their CPUs using a microcode update. AMD CPUs meanwhile added 2 mitigations (the difference in numbers is also explained).

=======================

With the announcement of the new wireless security protocol WPA3 at CES earlier this month; it was relatively easy to learn of the security changes the new WiFi standard will introduce. These changes are very welcome with the publication of the KRACK vulnerability for WPA2 last year. However the questions I wanted to know the answers for were not as straightforward:

  1. While devices with WPA3 are set to be made available in 2018; will they arrive late or earlier this year?
  2. Are the WPA2 devices I have now likely to work with a new WPA3 router?
  3. Will it be pointless to have a WPA3 router if all or most of my devices are WPA2 since it cannot provide both standards of security at the same time?

All of the above questions are addressed in this How to Geek article. I hope you find these articles helpful. Thank you.

Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection

Happy New Year to all readers of this blog!

With attacks on routers increasing (e.g. this article concerning D-Link) and vulnerabilities being patched within internet of things (IoT) (defined) devices; it’s great news that security technologies are adapting to monitor and protect them.

I wanted to provide a respectful shout out (although not to blog posts) to products from several vendors that promise to better protect from threats such as the Mirai malware and other examples.

Full disclosure: I’m not receiving any incentives or benefits from any of these vendors; I simply wish to promote awareness of existing and upcoming technologies that we can use to better secure the increasing number of IoT devices that we are using in our everyday lives.

For example, early last week Symantec began accepting pre-orders for their new wireless router. Initially this will only be available in the US but will be extended to more regions in the future.

While a wireless router is nothing new, it is one of first that I have encountered that includes protection for Internet of Things (IoT) devices.

In their words it “constantly monitors your connected devices like WiFi thermostats, smart locks, appliances or home security cameras for suspicious activity and identifies vulnerabilities. If a device becomes compromised, it quarantines the threat before it spreads ensuring your digital world is safe.”

A similarly powerful offering from F-Secure is also in progress. Like Symantec, F-Secure’s is scheduled for release in Q2 of 2017.

These solutions are further refinements to wireless router/access point security solutions that have been available since late 2015. For example, Asus’ Ai-Protection feature (using technology licensed from Trend Micro) incorporates most of the features that F-Secure and Symantec offer just without the IoT management and reporting.

There are interesting times ahead as Internet of Things (IoT) devices and wireless router become increasingly more managed and monitored devices allowing us to secure them better. My sincere thanks to a colleague (you know who you are!) for assistance with this post.

Thank you.

Blog Post Shout Out: SHA-1 Migration and Internet of Things (IoT)

With the transition to SHA-2 rapidly approaching (January 2017) if you have not already begun the migration process for your website or are having difficulties locating all of the certificates that need migrating; the following article that I wish to provide a respectful shout out to may be of assistance. The article includes advice on making the best use of the remaining time:

SHA-1 Time Bomb: One Third of Websites Have Yet to Upgrade by Phill Muncaster (Infosecurity Magazine)

This issue is also of note since Google (like the other browser vendors is moving away from SHA-1) will remove support for SHA-1 in Chrome version 56. Further details are provided in their blog post. The source of the statistics for the Infosecurity Magazine article was this blog post from Venafi, an organisation that provides cryptography related solutions and services to enterprises.

=======================
With the DDoS attack (defined) against the DNS service Dyn last month attributed to Internet of Things (defined) devices further steps need to be taken to secure them. To assist with this, the US CERT have written a PDF document titled “Strategic Principles for Securing the IoT”. It is intended for consumers, operators and manufacturers of IoT devices. It is available from the link below:

Securing the Internet of Things (US-CERT)

=======================
Thank you.

Blog Post Shout Out: Securing Internet of Things and WiFi

With Internet of Things (IoT) devices becoming part of everyday life properly implementing public key encryption (defined) within them is a critical step that should not be overlooked.

Facilitating the use of such devices is very widespread wireless access which should also be secured as much as possible (especially in corporate environments) so as not to inadvertently provide an easy means of accessing your internal network.

For both of the above technologies I wanted to provide a respectful shout-out to the following blog posts that provides step by step advice on securing wireless networks (includes physical security and hardening guest network access) as well as how public key cryptography should be implemented and used within IoT devices:

9 things to check after installing wireless access points by Eric Geier (Computerworld)
4.5 million web servers have private keys that are publicly known! by Paul Ducklin (Sophos Security)

I hope that you find the above posts/resources useful. Thank you.