URGENT/11 Zero-Day Vulnerabilities Impacting 2 Billion Devices

July 31st, 2019 by Julie Lough

IoT Security

Check Your IoT: URGENT/11 Zero-Day Vulnerabilities Impacting 2 Billion Devices

It was only a matter of time before connected devices become a target. The current vulnerability allows remote attackers to gain full control over IoT devices.  

Security professionals have known that connected devices are a risk, but the latest news around the URGENT/11 vulnerabilities may surprise even the most hardened security professional. Over 2 billion connected devices are thought to be vulnerable, including a range of printers, VOIP phones, routers, medical equipment, firewalls, elevators and industrial controls. Any connected device that is running the VxWorks operating system created by Wind River has the potential to be affected, allowing users to remotely gain control over the device.

URGENT/11 Vulnerabilities

Dubbed “URGENT/11”, these security risks include six critical vulnerabilities connected with VxWorks 6.5 or higher that includes the IPnet stack. There are a few versions of the OS that may not be affected, according to security research firm Armis, such as their VxWorks Cert Edition and VxWorks 653. Whether devices are within the network perimeter or on the edge, they can still be leveraged for remote access directly into networks. The vast range of manufacturers of the devices at risk means the level of security at the device level is likely to vary dramatically between product types. Fortunately, Wind River Systems provided critical patches during a recent July 19 release, but that may not be enough to reduce the risk for organizations utilizing these connected devices.

What is VxWorks?

“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses”. As an RTOS, or real-time operating system, VxWorks has generally been considered to be a stable solution for IoT and other interconnected devices with only 13 vulnerabilities reported in over 32 years of operation for the platform. Since it is only older versions of the RTOS that are vulnerable to attack, it’s thought that newer devices should be relatively safe and many affected devices are already reaching end-of-life. These devices are generally ones where chipsets only need to manage a few basic pieces of information, such as input/output operations, where little data processing is required.

How to Protect Your Business

While officials at VxWorks and Armis note that there are no indications that the URGENT/11 vulnerabilities have been exploited, the extreme disruption that could be caused within an organization is reason enough to warrant a proactive effort to protect your organization. Here are the recommended steps from Wind River security professionals and engineers:

You can view the full URGENT/11 whitepaper with a breakdown of the vulnerabilities and suggestions for remediation online. Experts note that the level of disruption could be significant, perhaps even rivaling the EternalBlue 2017 vulnerability or the WannaCry ransomware attack. In each of these instances, it was challenging for many small businesses to determine the best steps to move forward and protect their organization.

Partnering with an IT services firm helps ensure that your business is alert to this type of critical attack vector. Staying vigilant for vulnerabilities and quickly applying patches may mean the difference between a few hours of work patching devices or servers and months of remediation as you attempt to recover from a major attack.


Important Security News About Mac & Zoom

July 9th, 2019 by Julie Lough

Did you know that your Macintosh webcam could have been hijacked? A serious security flaw in the Zoom video conferencing application joined Mac users to video calls without their permission.

Zoom and Mac Security

Zoom has now released a fix – click here.

A vulnerability in the MacZoom client allowed malicious websites to enable Mac cameras without users’ permissions. This is a serious flaw that was thankfully discovered by Jonathan Leitschuh.

Jonathan Leitschuh, a US-based security researcher, reported this serious zero-day vulnerability. It allowed any website to forcibly join someone to a Zoom call, and activate their video camera.

Plus, he said that the vulnerability let any webpage cause a Denial of Service (DOS) by repeatedly joining the Mac user to an invalid call.

Even if the user uninstalled the Zoom application from their Mac, it could be re-installed remotely.

What Should Mac Users Do?

To fix this particular issue, Leitschuh advised that Mac users with the Zoom application installed, update it to the latest version of Zoom and then check the box in settings to “Turn off my video when joining a meeting.”

A computer webcam is always a potential gateway for security intrusion. This is why some users put a piece of tape over their webcam just in case.

Zoom Has Since Patched The Vulnerability

The vulnerability has been patched; however, the flaw could have exposed up to 750,000 organizations around the world that use Zoom.

Leitschuh said that the Zoom vulnerability was originally disclosed on March 26, 2019, and that a “quick fix” from Zoom could have been implemented to change their server logic. However, it took them 10 days to confirm the vulnerability. And, it wasn’t until June 11, 2019, that Zoom held their first meeting about how to patch the vulnerability. This was only 18 days before the required 90-day public disclosure deadline.

He said that he contacted Zoom on March 26, giving them the public disclosure deadline of 90 days. Zoom patched the issue, so a webpage couldn’t automatically turn on a webcam, but that this partial fix regressed on July 7th, allowing webcams to once again be turned on without permission.

What Was Zoom’s Response?

“Zoom installs a local web server on Mac devices running the Zoom client…This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting. We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless one-click-to-join meetings, which is our key product differentiator.”

Zoom also reported that they had no record of a Denials of Service or this type of weakness being exploited. They said that they fixed the security flaw back in May.


What Is The Fake DHS Phishing Email Going Around?

June 24th, 2019 by Julie Lough

How Can You and Your Employees Avoid It?

The Cybersecurity and Infrastructure Security Agency (CISA) is warning about an email phishing scam that tricks users into clicking on malicious attachments that look like legitimate Department of Homeland Security (DHS) notifications.

The email campaign uses a spoofed email address to appear like a National Cyber Awareness System (NCAS) alert and lure targeted recipients into downloading malware through a malicious attachment.

DHS Phishing Emails

CISA says that users should take the following actions to avoid becoming a victim of social engineering and phishing attacks:

  • Be wary of unsolicited emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact our helpdesk or search the internet for the main website of the organization or topic mentioned in the email).
  • Use caution with email links and attachments without authenticating the sender. CISA will never send NCAS notifications that contain email attachments.
  • Immediately report any suspicious emails to our helpdesk.

What Is A Phishing Attack?

Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem.

When users respond with the requested information, attackers can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as:

  • Natural disasters (e.g., hurricanes, earthquakes)
  • Epidemics and health scares (e.g., H1N1)
  • Economic concerns (e.g., IRS scams)
  • Major political elections
  • Holidays

Why Can Email Attachments Be Dangerous?

Some of the characteristics that make email attachments convenient and popular are also the ones that make them a common tool for attackers:

  • Email is easily circulated. Forwarding email is so simple that viruses can quickly infect many machines. Most viruses don’t even require users to forward the email—they scan a users’ computer for email addresses and automatically send the infected message to all of the addresses they find. Attackers take advantage of the reality that most users will automatically trust and open any message that comes from someone they know.
  • Email programs try to address all users’ needs. Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send.
  • Email programs offer many “user-friendly” features. Some email programs have the option to automatically download email attachments, which immediately exposes your computer to any viruses within the attachments.

DHS Phishing

How Do You and Your Employees Avoid Being a Victim?

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Don’t provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
  • Don’t reveal personal or business financial information in an email, and don’t respond to email solicitations for this information. This includes following links sent in an email.
  • Don’t send sensitive information over the internet before checking a website’s security.
  • Pay attention to the Uniform Resource Locator (URL) of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Don’t use the contact information provided on a website connected to the request; instead, check previous statements for contact information.
  • Ask us to install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
  • Take advantage of any anti-phishing features offered by your email client and web browser.

Get New School Security Awareness Training

You must train your employees to be constantly vigilant to identify attackers’ attempts to deceive them. New-School Security Awareness Training will provide the knowledge they need to defend against these attacks.

What Is New-School Security Awareness Training?

More than ever, your users are the weak link in your IT security. You need highly effective and frequent cybersecurity training, along with random Phishing Security Tests that provide several remedial options in case an employee falls for a simulated phishing attack.

With world-class, user-friendly New-School Security Awareness Training, you’ll have training with self-service enrollment, completion logs, and both pre-and post-training phishing security tests that show you who is or isn’t completing prescribed training. You’ll also know the percentage of your employees who are phish-prone.

And with the end-user training interface, your users get a fresh new learner experience that makes learning fun and engaging. It has optional customization features to enable “gamification” of training, so your employees can compete against their peers on leaderboards and earn badges while learning how to keep your organization safe from cyber attacks.

With New-School Security Awareness Training You’ll…

Have Baseline Testing to assess the phish-prone percentage of your users through a free simulated phishing attack.

Train your users with the world’s largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters, and automated training campaigns with scheduled reminder emails.

Phish your users with best-in-class, fully automated simulated phishing attacks, and thousands of templates with unlimited usage, and community phishing templates.

See the results with enterprise-strength reporting that show stats and graphs for both training and phishing, all ready for your management.

New-School Training…

  • Sends Phishing Security Tests to your users and you get your phish-prone percentage.
  • Rolls out Training Campaigns for all users with automated follow-up emails to “nudge” incomplete users, as well as point-of-failure training auto-enrollment.
  • Uses Advanced Reporting to monitor your users’ training progress, and to watch your phish-prone percentage drop.
  • Provides a New Exploit Functionality that allows an internal, fully automated human penetration testing.
  • Includes a New USB Drive Test that allows you to test your users’ reactions to unknown USBs they find.

Plus, you can access Training Access Levels: I, II, and III giving you access to an “always-fresh” content library based on your subscription level. You’ll get web-based, on-demand, engaging training that addresses the needs of your organization whether you have 50, 500 or 5,000 users.

Keep your business from being victimized by phishing attacks.

We can tell you more about New School Security Awareness training for your employees.


Critical Update From The NSA

June 11th, 2019 by Julie Lough

The NSA Is Urging To Patch Remote Desktop Services On Legacy Versions of Windows

The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats. Recent warnings by Microsoft stressed the importance of installing patches to address a vulnerability in older versions of Windows.

NSA Windows Security Warning

Microsoft has warned that this flaw is potentially “wormable,” meaning it could spread without user interaction across the Internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.

CVE-2019-0708, dubbed “BlueKeep,” is a vulnerability in Remote Desktop Services (RDS) on legacy versions of the Windows® operating system. The following versions of Windows® are affected:

  • Windows® XP
  • Windows® XP
  • Windows Server® 2003
  • Windows® Vista
  • Windows Server® 2008
  • Windows® 7
  • Windows Server® 2008 R2

What Is A Wormable Virus?

This means that the virus can get into your system without you doing anything like clicking a malicious link. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights without your knowledge.

Any future malware that uses this vulnerability could propagate from one vulnerable computer to another. This is how similar malware like WannaCry spread around the world. Experts are worried that this flaw could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017.

Another Problem

Although Microsoft has issued a patch, potentially millions of machines are still vulnerable. This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability.

For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability.

NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

What Should You Do?

Microsoft has released a critical update for their Remote Desktop Services that impacts multiple Windows versions. The patches are for devices and systems that are both in and out-of-support, which is rare for Microsoft to do. This shows the importance of these patches.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests. To apply the patches, go to the Microsoft Security Update Guide for in-support systems and KB4500705 for out-of-support systems.

Microsoft recommends that customers running one of these operating systems download and install the update as soon as possible.

Does This Mean Even Systems Without Support Can Get The Patch?

Yes, Microsoft is aware that some customers are running versions of Windows that no longer receive mainstream support. This means that you wouldn’t have received any security updates to protect your systems from the CVE-2019-0708 virus.

Given the potential impact to customers and their businesses, Microsoft decided to make security updates available for platforms that are no longer in mainstream support. All Windows updates are available from the Microsoft Update Catalog.

What Should You Do Before We Apply The Update?

It’s recommended that you back up all of your important data first. If you have a reliable backup, and if the patch creates problems, you can still access your data. You should do this before you install any patches.

What If You Can’t Apply The Patches?

If you can’t apply the patch for your system there are other things that you can do:

  • If you don’t need the Remote Desktop Services, you can disable it.
  • Block the TCP port 3389 (this prevents unauthorized requests from the Internet).
  • Enable NLA (Network Level Authentication) for Windows 7 and Windows Server 2008.

Of course, the best thing to do is to contact us. We’ll know exactly what to do.

What Else Should You Know?

If you had updated from Windows 7 to Windows 10 or from Windows servers 2008/2008 R2 to Windows 2016 or 2019, you wouldn’t need to worry. This is why it’s essential to keep your systems up to date.

Soon, on January 14, 2020, support will come to an end for all Windows Server 2008, 2008 R2 equipment and the Windows 7 operating system.

If you’re still using these servers or operating system, it’s crucial to replace them now so that there’s no disruption to your daily operations or loss of data.

Any hardware or software product that reaches its end of life is a potential gateway for hackers to enter through. In addition to the security hazard, there are other reasons why it isn’t a good idea to keep using old equipment such as unresolvable outages.

 


Sign In With Apple

June 6th, 2019 by Julie Lough

Apple IOS 13

Sign In With Apple…Should You Use It?

Apple recently reported that its new “Sign in with Apple” feature will be part of the iOS 13 release in the fall of 2019. It promises to protect your privacy, and authentication experts say it could have an enormous impact on data privacy.

What Is Sign In With Apple?

With Sign In With Apple, you’ll be able to log into your applications. It offers a single-sign-on functionality, much like other sign-in buttons such as Facebook’s, Google’s and Twitter’s.

What Are The Benefits Of Using Apple’s Sign In?

When you sign onto apps, Apple will mask your personal information and email address. But the application will still be able to contact you.

Unlike with Google, Facebook and Twitter, your email won’t be passed on to the developer. You can opt not to allow this, but you won’t be able to use their sign-in service. If you do choose to let Google, Facebook or Twitter track your email, they will also be able to see the applications you use.

Aaron Peck from Oauth explains:

“The way most “sign in with [blank]” systems work is that the app you’re signing in to will get your username on that service and likely also your email address,” he explained. “These apps can sell your email address to advertisers, or correlate your activity between unrelated applications by matching your username.”

Apple solved this problem with its single-use anonymous email address. You’ll be able to share the information you choose with the application. Apple creates a random, anonymous, single-use email address for each application. Apple then forwards emails sent to that address on to you. You have the option of deactivating the single-use email address whenever you want.

By using Sign in with Apple and the single-use email address, your true email address won’t be tracked. Apple is offering this to provide a more private option for use. And they are offering developers a way to provide a fast one-step login without forwarding their user’s data to another company. Apple’s button will also work on websites.

Can You Use Apple’s Sign In With Any Application?

No… only applications that integrate their systems with Apple’s Sign In button. Some may opt not to because they won’t be about to use your information for marketing purposes.

What Phones Can Use iOS 13 & Sign In with Apple?

These are the devices that will be able to use iOS 13:

  • iPhone XS
  • iPhone XS Max
  • iPhone XR
  • iPhone X
  • iPhone 8
  • iPhone 8 Plus
  • iPhone 7
  • iPhone 7 Plus
  • iPhone 6s
  • iPhone 6s Plus
  • iPhone SE
  • iPod touch (7th generation)

Is There Anything Else To Consider When Using Sign in with Apple?

If you are a developer, there may be. There are some concerns surrounding Apple’s terms and conditions for application developers. If they offer Google, Facebook or Twitter’s sign in, they must also offer Sign in with Apple.

And there’s more. According to Reuters:

Apple will expect developers to place their login button above Google’s or Facebook’s.

Apple Inc will ask developers to position a new “Sign on with Apple” button in iPhone and iPad apps above rival buttons from Alphabet Inc’s Google and Facebook Inc, according to design guidelines released this week.

The move to give Apple prime placement is significant because users often select the default or top option on apps […]

Apple’s suggestion to developers to place its login button above rival buttons is part of its “Human Interface Guidelines,” which are not formal requirements to pass App Store review. But many developers believe that following them is the surest way to gain approval.

This means that some app developers won’t have an incentive to actually add the Sign in with Apple feature. But Apple is getting around this by mandating that if developers what to place their app in the Apple App Store, and they already offer a third-party sign in, they must offer Apple’s.

Apple’s terms and conditions don’t require this for applications with a dedicated login system, and those that don’t use third-party buttons from Google or Facebook.

What’s The Benefit For Apple?

Sign in with Apple will improve users’ privacy and provide a far better experience than others.

Will LaSala, director of security services and security evangelist at OneSpan, tells us more:

Apple is going one step further than traditional single sign-on, they are forcing their users to use stronger authentication, such as Apple’s FaceID and TouchID,” he said, noting that Sign in with Apple will ask mobile app users to use the biometrics functions.

The use of adaptive authentication is what should be celebrated – the ability to prevent login tracking or protect a user’s information is a secondary benefit. Any way that we can get users to move to adaptive authentication that is easy and portable across many sites and platforms is a security win for the internet.

Apple is positioning themselves as the privacy provider. So when we want more privacy, Apple hopes we’ll choose to use their technology. It’s a great marketing strategy…something that Apple excels at. We think many people will want to use Sign in with Apple due to its privacy features.


What Is Windows Lite?

March 27th, 2019 by Julie Lough

Is Windows Lite Microsoft’s Answer to Google’s Chrome OS?

Microsoft is working on a new operating system — Lite — with a different look that’s designed for the casual computer user while targeting Google’s Chrome OS  

Windows Lite

Windows Lite is the oft-rumored, highly anticipated stripped-down operating system that Microsoft is reportedly working and could be unveiled sometime in the spring of 2019. What exactly is Windows Lite and why is Microsoft investing in it?

What Is Windows Lite?

Rumors began to surface in late 2018 that Microsoft was working on a new version of its Windows 10 operating system. While details have spotty at best, it appears that Windows Lite is intended to be Microsoft’s latest attempt to compete with Google’s Chrome OS, the driver of its popular Chromebook product line.

Windows Lite reportedly will be faster and leaner than other Windows operating systems. In fact, some reports indicate that the new operating system will be so different from other Windows products that Microsoft may remove the “Windows” name from it altogether.

How Will Windows Lite Work?

The new operating system reportedly will only run apps from the Universal Windows Platform (UWP) downloaded from the Microsoft store. It will also allow progressive web apps, which are applications that are run through an online service but operate like an offline app. Microsoft is exploring whether Lite will eventually be able to support Win32 apps as well.

Windows Lite will also be instantly on and always connected. It will be designed to work with multiple CPUs, providing flexible options for device manufacturers and consumers.

The focus is on building a product that emphasizes simple interactions and maintenance.

It’s expected that Windows Lite will not be available directly to consumers but rather to OEMs as a way to offer an alternative to the increasingly popular Chromebook. Instead, it will come pre-installed on laptops marketed to the home user and students.

The product is designed for users who only need “light” computing without the power, complexity and strength of traditional Windows operating systems. For users who need to write an essay, chat with friends or listen to music, Windows 10 is a bit of overkill.

Will It Look Like Windows?

The Lite OS will likely look very little like Windows. The interface is expected to be cleaner and more modern. The Start button is in the middle of the screen, for example. The search box is reminiscent of Chrome OS, with suggested and pinned applications listed prominently.

That said, there are some familiar components. File Explorer is still there and foundational components like Settings are present at this time.

The divergence from Windows is why some believe that Microsoft will remove the Windows branding entirely from the new product. Why would Microsoft intentionally move away from the established, decades-long Windows brand?

For one, ‘Windows’ carries with it certain expectations about functionality and capabilities. Microsoft may well want to begin reshaping how people think about what an operating system is, what it looks like and its user interface. It could be the beginning of a new direction for the company.

It could also be a way to circumvent the notion that Windows is too complex, complicated or fully featured, attracting those who have sworn off Windows operating systems in the past.

When Will Windows Lite Be Available?

There has been no official announcement or scheduled release date published. Given that hints about the new operating system are beginning to appear in Windows Insider builds, it’s likely that Microsoft is quite far along in its development. One possible target for an unveiling would be at the Microsoft Build 2019 conference in May 2019. Wider testing could begin this summer.