ANCHOR CYBER FEED

Major Vulnerability in Juniper Firewalls Found and Patched Last Thursday it was revealed the Juniper's ScreenOS operating system, which runs Juniper's firewalls, had a section of "unauthorized code" added to it as far back as 2012. The added code allows an attacker to remotely gain administrative access to the firewall and to decrypt encrypted VPN traffic. The issue affects versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, and a patch is currently available. Juniper states that they found the code during an internal code review and do not know how it got there. http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/ ​ http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/ http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554 Major Vulnerability in FireEye Devices Found and Patched

Microsoft "Patch Tuesday" Includes Eight Critical and Four Important Fixes The last big batch of Microsoft patches for 2015 is indeed a big one. Eight of the patches are marked as "Critical" and allow for potential remote code execution. MS12-128 fixes a graphics vulnerability in all supported versions of Windows, as well as many versions of .NET Framework, Skype, Lync, and Office that could allow an attacker to execute arbitrary code. MS15-124 fixes a number of critical vulnerabilities in Internet Explorer (all supported versions) that could allow a malicious web page to run arbitrary code on the vulnerable machine. MS15-131 affects MS Office 2007 and newer, and fixes six vulnerabilities that could allow a malicious Office document to run arbitrary code on a vulnerable machine. These three are the ones the affect the most widely-deployed software and are most easily exploitable, and they should be tested and deployed as soon as possible. MS15-127 affects DN

US Department of the Interior Inspector General Report Details 19 Major Incidents at the Agency The Department of the Interior experienced nineteen major cyber incidents over the past several years that had been previously undisclosed. A large amount of sensitive data with economic value is believed to have been stolen. The report explains how several of the incidents were not detected for some time as well as the fact the the extent of some of the intrusions is still not fully known. A key lesson is that cyber incidents are often not readily apparent; it is not wise to assume you have not been compromised simply because you are not aware of a compromise. http://www.nextgov.com/cybersecurity/2015/11/interior-department-hacked-china-others-19-times/123990/?oref=ng-channelriver Microsoft Re-Issues Windows 10 Fix the Reset Some Users' Privacy Settings On November 24th, Microsoft re-issued a major Windows 10 update that was causing many users' privacy settings to reset t

Dell Laptops Shipped with Unsecure Certificate Authority Installed Dell laptops shipped since this August included, pre-installed, a root certificate authority from Dell called "eDellRoot" that also included the authority's own private key. Even deleting the root certificate does not solve the problem, as the "Dell Foundation Services" Windows service will re-install the certificate if it is deleted. The Dell System Detect service has also been found to install its own root certificate, including the private key. Because these certificates include their own private keys and are installed as root certificate authorities in the OS, an attacker could create their own certificates signed by these and the relevant computers would see them as legitimate signed certificates for websites, drivers, and other software. Lenovo was found last year to similarly install their own root certificates for pre-installed software. Because of the difficulty of avoiding these typ

Growing Concern About Java Deserialization Bug as a Working Exploit is Demonstrated A long-standing concern about how Java handles serialized objects is drawing increased concern because of a practical exploit demonstrated by Foxglove Security last week. The exploit potentially affects a large number of Java web applications (Java Server Pages), and has been proven to affect common middleware layers including JBoss, WebSphere, and WebLogic. The flaw's exploitability is highly dependent on how applications are developed; if your enterprise has any externally-exposed Java-based web applications, you should ensure your developers are checking for this flaw. http://www.darkreading.com/informationweek-home/why-the-java-deserialization-bug-is-a-big-deal/d/d-id/1323237 http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thevulnerability Dell Laptops Shipped with Unsecure Certificate Autho

Microsoft Issues Twelve Updates, Including Four to Fix Critical IE and Windows Vulnerabilities Last week, on “Patch Tuesday,” Microsoft issued a new batch of updates for its products. Four of these are classified as “critical,” including one for Internet Explorer, one for their new Edge browser (part of Windows 10), and one for the Windows kernel. The Internet Explorer vulnerability, MS15-112, is the most likely to be exploited in the wild, and should be a priority for organizations to patch as quickly as possible. The Windows patch, MS15-115, was modified and re-released on Wednesday after some users experienced problems following its installation. If you have not installed security update 3097877 yet, ensure you have the version from November 11th before installing. https://support.microsoft.com/en-us/kb/3097877 http://www.computerworld.com/article/3004464/application-security/four-critical-patches-for-november-patch-tuesday-update-core-windows-and-office-components.html http:/

Microsoft to Start Blocking SHA-1 Certificates Earlier than Planned Following the announcement last month that the SHA-1 hashing algorithm is even easier to defeat than previously believed, tech companies are moving up their timetables to stop using certificates based on the outdated algorithm. Microsoft is now following Google (with Chrome) and Mozilla (with Firefox) in announcing that their products will stop accepting SHA-1 certificates in June of 2016, rather than at the end of 2016 as originally planned. Websites and applications still using SHA-1 certificates will soon be causing users to receive security warnings from most popular browsers. You can check your site’s certificate (or others sites’ certificates) at Qualys’ SSL Labs . http://www.computerworld.com/article/3001681/security/microsoft-follows-mozilla-in-considering-early-ban-on-sha-1-certificates.html Flaw in TrueCrypt Software Allows for Potential Full System Compromise TrueCrypt is a popular tool available

Google Gives Symantec an Ultimatum on Certificate Security Procedures Last Thursday, Google laid out several conditions to Symantec for the transparency and security of their certificate authority. The ultimatum comes after Google's discovery in September that Symantec had issued several invalid test certificates for Google domains. Google stated that if their conditions were not met, Google may begin showing warnings in the Chrome browser, and/or in search results, for sites using Symantec-issued certificates. Symantec purchased Verisign, until this year the largest issuer of security certificates, in 2010, and continues to be one of the most widely-used and trusted issuers of such certificates for validating websites and software, as well as enabling encryption. These types of certificates are the foundation of many security functions, so if they are not being issued in a trust-worthy fashion it negatively affects the reliability of many controls. http://www.computerworld.co

Keeping your computer and information secure is challenging all the time, but is especially challenging when you are on the go. Both your device(s) and data can be at risk, and some of the protections you may be used to having on your corporate and/or home networks are not present. Extra vigilance is warranted in such situations. Whether you're traveling out-of-town or just working at a table in the Starbucks down the street, here are a few things to keep in mind to keep secure while traveling: Avoid Wi-Fi hotspots in cafes, hotels, restaurants, etc., especially “open” hotspots (which most publicly-accessible ones are.) iPhones have a built-in capability to connect to a VPN , so this is a way of more safely using open Wi-Fi. A wired connection in your hotel is better than Wi-Fi — less subject to monitoring.  When you work over non-secure networks (and any network you don’t control should be treated as such), a good practice is to work over a VPN connection or other remote

Social media is a vastly popular use of the Internet today, and a source for a huge interchange of data. This ability to upload and download many forms of data can make social media a conduit for illegitimate information flow in and out of an organization. Social media can also allow malicious individuals to seek out and connect with people by name or by interest. Foreign intelligence services and cyber criminals have been known to create fake profiles, sometimes based on those of real people, in order to connect with and gather information on persons in an area or field of interest. Key tips for security on social media include: Use two-factor authentication; most social networks have this option. Be careful who you accept "friend" requests or connections from. Check who they are already connected with, especially, to see if their connection make sense in light of what you know of this person. Avoid connecting with people you don’t know well. Use care in sharing pe

Private Web-based Email Accounts of CIA Director and Secretary of Homeland Security Hacked It was revealed this week that the CIA Director and Homeland Security Secretary’s private emails had been compromised by hackers, who published much of the information contained therein. The incident is interesting for two reasons. One was that the CIA Director’s private email included a number of potentially sensitive emails that had been forwarded from his White House email account during his time working there. The other is the method the attackers used, impersonating the account owners from one account to the next to gather the info necessary to reset their account passwords and gain control of the accounts. Organizations need to grapple with the reality that users’ personal accounts and devices can impact their work accounts and data, and should ensure that policy and training address these issues. http://www.scmagazine.com/cia-director-brennans-personal-email-contained-sensitive-info-h

In many organizations, more and more work is being conducted via “mobile devices” like smartphones and tablets rather than traditional PCs and laptops. The most common of these by far are those running Apple’s iOS (iPhones and iPads) and those running Google’s Android OS. These devices are light, portable, convenient, handy, and generally easy to maintain and manage. However, they are still powerful computing devices that can store a lot of critical information and can also prevent serious security challenges. Some basic measures that you should take include: Set a password and set your phone to lock automatically after a short period of non-use. It’s so easy to lose a phone on a bus or train or in a restaurant, and if someone picks it up while it’s unlocked they can do and access pretty much everything on the device. Consider enabling a function to wipe the data and settings from your device if the passcode is entered incorrectly enough times. This function does allow for some

The phrase “the Internet of things” (IOT) has gained currency over the past several years as more devices aside from traditional computing devices are being connected to the Internet. The term was coined in a 1999 presentation on the use of radio-frequency ID (RFID) chips to track items in the manufacturing and delivery process. Since then it has become a major issue in technology circles and a subject of much concern regarding the security implications of such Internet-connected "things." Many appliances and other devices are connected to the Internet now, primarily in order to provide for remote control and/or monitoring. Common examples include security cameras, thermostats, door locks, automobile systems, medical devices, and home lighting control systems (indeed, whole-house control systems). The Nest thermostat (and later smoke detector and cameras) was perhaps the first highly-visible and widely-known Internet-connected “thing,” and its popularity helped bring the

New Flash Zero-Day Vulnerability Being Actively Exploited Last Tuesday, the same day that Adobe released their regular monthly patches, Trend Micro disclosed their discovery of a new zero-day vulnerability being exploited by the “Pawn Storm” hacking group. The observed activity is directed primarily against various nations’ foreign affairs ministries, but the vulnerability (CVE-2015-7645) is not publicly disclosed and may be subject to further exploitation. Adobe released a new out-of-cycle patch for the issue on Friday evening. http://www.cnet.com/news/another-security-flaw-affects-all-versions-of-adobe-flash/ http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/ https://helpx.adobe.com/security/products/flash-player/apsa15-05.html Microsoft Releases Six Patches for IE/Edge, Office, Windows Last Tuesday, Microsoft released six updates that fix about 33 security issues in their browsers, in Windows, and in Office.

Our last tip discussed the importance of using strong, complex passwords, and being diligent to use different passwords for everything. Most of us can agree that is good advice, but many of us don't follow it. The reason is simple: it is too hard to remember all those passwords! I understand completely; I personally have about 300 passwords right now! The old wisdom was to never write down your passwords and never record them ANYWHERE. However, the big threat to your data today is not someone who finds your password hidden under your keyboard, but someone on the other side of the world cracking or guessing your password. So to make complex and unique passwords possible, many security professionals recommend the use of a "password manager" software or service. Password managers are apps used to safely store ALL of your passwords and keep them safely encrypted in one place. Most are offered by providers who will store the data in the cloud so that you can sync it to a

If you are like most modern folks, you use a large number of passwords every day. As mentioned in our very first tip this month, the use of passwords alone to secure anything of significant value/importance is a questionable practice by today’s standards. However, the reality is that for now and for the foreseeable future we are likely to be doing business in this way with many of the sites and services we access. And even with multi-factor authentication, the use of a strong password is still your first line of defense. So how do you ensure your passwords are strong? Key tips include: Length is strength. Making your password longer is the easiest and most effective way to make it stronger and more difficult to guess it crack.  Consider using a real phrase. A real phrase, complete with spaces, capitalization, and punctuation, will be longer than most passwords while meeting most password requirements, being quick for a good typist to type, and being easy to remember. Don'

Most anyone who browses the web regularly knows that some pages are “secure” and some are not. The key difference is that “secure” websites are served using the HTTPS protocol rather than HTTP protocol; this means that the information sent between your browser and the web server is encrypted so that anyone potentially “listening in” between you cannot read it. HTTPS also provides for positive identification of the website to avoid you being fooled by a fake. Web browsers have various visual cues to help you know you are on the right site and that it is being served to you securely. Chrome, for instance, looks like this. This video shows you how the different browsers show you if a site is secure. Like everything in technology, the methods used for providing this security have advanced in the past decade. For organizations hosting websites, there is a need to balance between enabling users to access your site even if they may be using an older device/browser and ensuring that

Vulnerability in Microsoft Outlook Web Services Exploited Cybereason, an Israel-based security vendor, claims to have discovered a "back door" in Microsoft's Outlook Web Services that was used to install malware on a company's web services, and to compromise the data of thousands of employees. Microsoft has responded that the flaw is only exploitable by a user or attacker who already has privileged access to the Exchange server in question. http://www.cybereason.com/cybereason-labs-research-a-new-persistent-attack-methodology-targeting-microsoft-owa/ http://blogs.technet.com/b/exchange/archive/2015/10/07/no-new-security-vulnerability-in-outlook-web-access-owa.aspx http://www.scmagazine.com/backdoor-in-ms-outlook-webmail-raises-security-doubts/article/443415/ FBI Urges Organizations and Users to Adopt Multi-Factor Authentication The FBI issued a posting urging organizations and individuals to use two-factor authentication (aka multi-factor authentication)

ABA Study Shows the Law Firm Breaches are on the Rise In a survey released this week, the ABA reported that approximately 20% of attorneys surveyed reported that their firms had experienced an information security breach of some type over the past year. Of respondents, 3% reported experiencing breaches the resulted in unauthorized access to client data, and 5% reported that their breaches resulted in the need to notify clients. The greatest increase was seen in firms with 100 or more lawyers. http://www.americanbar.org/groups/departments_offices/legal_technology_resources/publications.html https://bol.bna.com/aba-survey-data-breaches-rising-at-large-firms/ Adobe Releases New Flash Version, Fixes 23 Security Flaws Last Monday, Adobe released a new version of their Flash browser plug-in, version 19.0.0.185. This release fixes 23 security issues with Flash, at least some of which Adobe considers of the highest possible priority (Adobe doesn’t provide priority ratings for indiv

This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here . When most people think of technical controls for information security, the first one they tend to think of is anti-virus software. After it was first widely commercialized in the late 1980s, antivirus software became known as the thing you needed to have to deal with the security of your computer. And by the mid-90s, when the connecting, communicating, and downloading over the Internet became more and more the reason for using a computer, antivirus software came to be seen as an essential accessory to modern computing life. The traditional approach of anti-virus software was to check digital files against a set of “signatures” of known virus (or, more broadly, malicious software or malware) files, in order to delete or quarantine dangerous files found stored on the computer. This technique has been refined and enhanced, pa

New WordPress Version Released; Fixes Three Security Issues Last Tuesday, WordPress.org released version 4.3.1 of their web content management system. The new version fixes two cross-site scripting vulnerabilities and a privilege-escalation issue. WordPress is the most popular website management software in use today; in some cases, organizations are using it without even realizing they are doing so. Vulnerabilities in third-party "plugins" for WordPress are common, but the core WordPress code has been relatively trouble-free of late. If you have a website running on WordPress, it is important to ensure you update it as soon as possible. https://wordpress.org/news/2015/09/wordpress-4-3-1/ http://www.darkreading.com/vulnerabilities---threats/wordpress-dodges-further-embarassment-by-patching-three-vulns-/d/d-id/1322213? Malware Found in Hundreds of iPhone/iPad Apps in Official App Store Malware has been discovered in several hundred (so far) apps in the official App