For your reading pleasure …

We update our security blog a couple times a week, however, we simply cannot cover every data breach or malware attack. Luckily, there are several really good blogs we read that help fill in the gaps. If you scan down the right-side of our blog, you’ll see our “blogroll” which includes nine sites we read on a near-daily basis.

Our Senior Security Engineer, Josh More, is a big fan of SANS’ Internet Storm Center and WiKIDBlog. The SANS Internet Storm Center is a collective of security professionals who provide “ a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.” The writers at WiKIDBlog tend to think outside of the box and often have some unique solutions to common security problems. They also champion two-factor authentication “without the hassle factor!”

Our blogroll also contains some of our partners, including Bit9, Barrier1, Smoothwall, Sourcefire, Sophos and Zix. Bit9, Sourcefire and Sophos update their blogs quite often and have very informative posts. And if you’re not reading Sophos’ Naked Security on a daily basis, you are really missing out. Graham Cluley and Chester Wisniewski do a phenomenal job of keeping tabs on virtually every major threat wreaking havoc in cyberspace. Their blog is oftentimes rather humorous, contains insightful videos and has won numerous awards. For your money’s worth, you won’t find a better security blog.

Our blogroll contains just a few of our favorites, but there’s room to grow. Do you have any recommendations for us?

A client shows that Macs are not as safe as you think

A common misconception among Mac users is that their Apple products are immune from malware and security issues often seen in Microsoft products. A decade ago, this was pretty much true. Mac OS had a streamlined approach to security that was difficult to crack, but more importantly, Apple users were massively dwarfed by Microsoft and weren’t worth the time to target. Hackers wanted the easy score, not something they actually had to work at. Unfortunately, many Mac users still believe they’re impervious to threats, but they are ignoring two major changes in the computer landscape.

1) After years of abuse, and rightfully so, Microsoft has now surpassed Apple in terms of protection. Since the Windows Vista introduction in 2007, their OS has employed ”address space layout randomisation (ASLR) which is implemented so as to obscure most of what an attacker needs to conduct, for example, shell code injection attacks.” Despite acquiring ASLR in 2007, Mac OS has yet to implement this same degree of protection.

2) Apple has seen fabulous growth in the personal computer market. In 2003, Apple had just 2.06% of the desktop computer market. Just five years later, that number was at 14% and has now diversified further with the advent of the hugely popular iPhone and iPad. Not surprisingly, Mac OS malware has grown in excess of 200% in the last three years!

Unfortunately, many companies are ignorant to this environmental shift and still assume their Macs are as secure as ever. Take for instance an advertising agency we recently consulted with. This agency employs over 50 individuals and boasts several Fortune 500 accounts. Like many ad firms, Macs are their computer of choice.

Recently, one of their biggest clients had a security breach that originated from the agency office. The agency and client shared a portal where they frequently transferred images, files and documents. Besieged by a nasty piece of malware, the portal was rendered unusable.

What the agency didn’t realize is their Mac computers were hosting Windows-based malware. While the malware had zero effect on their Mac computers, it ran amok on the client’s Microsoft desktops after it was unknowingly transferred through the portal. This issue is prevalent in many Mac environments. According to Sophos, “A 100,000 strong snapshot of the millions of Mac computers which have recently downloaded Sophos’s free Mac anti-virus software, revealed that 20% of Mac computers were carrying one or more instances of Windows malware.”

Needless to say, if the agency realized that their fleet of Mac computers weren’t secure and at the very least invested in Sophos’ free Mac anti-virus software, this entire scenario would have never happened. If you are a Mac user or your company runs a Mac-based operation, please do us all a favor and download the aforementioned free anti-virus software. And if you really want to make sure all your bases are covered, give us a buzz and we’ll set you up with a free security review as well.

Sophos Apple Resources:

Download Sophos’ free Mac anti-virus software.

1 in 5 Macs has malware on it. Does yours?

Are Macs safer than PCs?

 

Microsoft XML Attack

Though we were notified last week that there was a problem with Microsoft’s XML implementation, news broke this weekend that it is now being actively exploited.

In response, Microsoft has released an emergency fix. This is not a patch, but rather a tool that temporarily hardens a workstation against an XML attack. Microsoft does this to help limit attacks while it works with vendors in the Microsoft Active Protections Program (MAPP) to build more robust detection and prevention capabilities to protect unpatched systems. Then, when the patches do come out, the problem will be considered officially resolved. Patches should be out by July 10th, if not sooner.

So, what should you do?

First, if you are running Sophos, Sourcefire or Alert Logic technology, trust your vendor.  They are all in the MAPP and so will have decent protections soon.  If, however, you are using a vendor that is not in the program, you should apply the fix to all Windows workstations that use Internet Explorer to browse the web. The fix is available here.  Just scroll down and click on the button under “Apply.”  When the patches are available, deploy them as soon as possible.

For more details, please see Microsoft’s security advisory.

June Updates and Patch Report

It’s “Patch Tuesday” week again, so let’s summarize several of the more important updates and patches.

Microsoft

Did you know there were two sets up updates this month? The normal Tuesday updates came out as expected, but before that, there was a special update to make sure this week’s updates were trustworthy. What happened is that Flame made the news and a part of the malware was designed to take advantage of a flaw with Microsoft certificates. So, to fix it, Microsoft had to release an update… but since that certificate was part of the update process, it had to be released early.

If you did not apply the update when it first came out, you’ll probably be okay. However, this is yet another example of why it’s important to stay on top of these. If you fall behind, not only are you unprotected against current threats, but you also cannot trust the updates that are waiting in the wings. If you are worried about falling behind, it may be time to consider patch management software.

The second round included updates for Remote Desktop, Internet Explorer and .Net. The IE one is being exploited, so update your workstations and laptops ASAP. Also, if you are one of the many companies exposing Remote Desktop to the internet, this is a very good example as to why that isn’t the best strategy. The flaw made public this week allows people to access those systems without logging in. If you are accessing RDP directly over the internet, it’s time to stop. There are some extremely simple and cost effective (some even free) VPN solutions out there. Please use them.

More details are here and here.

The Always-Expanding Hack List

If you regularly use LinkedIn, Last.fm, Twitter and/or eHarmony, it’s time to change your passwords. It’s also time to trust the users of those sites a little bit less. When a password breach occurs, not only is your data at risk, but so are all of your social connections. If one of your friends had a weak password, someone could log into their account and view all the information you share with them. While there’s nothing we can do directly in response to these attacks other than change our passwords, we really need to start putting more pressure on these sites to ensure they are protecting our data with better than minimal standards. If you are in the position of storing customer data, you might want to review your own processes, too. It’d be better to do that before a breach.

Adobe

Adobe has released an update for … ColdFusion. If you’re not using ColdFusion, you don’t have to worry about Adobe patches this month. Also, if you’re running ColdFusion 10, you’re good. Kind of a shocker, I know.

If you’re running an older version of ColdFusion, read the details here.

VMware

It’s out … it’s finally out!  If you’re running vSphere 5, you can read the hardening guide.  This is a guide to both hardening AND assessing VMware infrastructures. Basically, all the auditors now have guidance, so expect them to get more annoying about it. Also, expect your assessors to have more documentation backing up why certain changes should be made. A good plan would be to actually make them! It’s usually going to make sense for you and the time you spend arguing would be better spent fixing issues.

I know that making some changes to a virtual environment can affect a lot of servers, but guess what happens if a flaw in your system is abused? I am firmly of the mind that a planned outage is much better than an unplanned one. Please harden your infrastructure.

Apple

Sadly, Apple did not release an IOS hardening guide. Instead, they just lifted the curtain a little bit and gave us a peek inside with the IOS security specs. If you are writing policies around mobile devices and have to support Apple, you should probably read this. It will also help you assess MDM solutions.

PHP

If you’re running PHP, you should know it’s being attacked.  Keep it updated and if you can, seriously consider layering PHP-Suhosin, Mod_Security2 and AppArmor around it. PHP is good for developers, but it’s also good for attackers. If you want to use it for the former, you have to accept the risk from the latter.

MySQL

Please excuse the tech speak here. If you are running MySQL and it was compiled with GCC using SSE, people can likely log into your system with the wrong password. Details are here. This issue is known to affect Ubuntu 64bit, OpenSUSE 64bit, Debian Unstable 64bit, Fedora and Arch Linux. Luckily, the more commonly used Ubuntu 32bit, Red Hat Enterprise Linux and the official binaries from MySQL are not affected.

In general, you should apply the patch immediately when available. You should also only expose your MySQL interface to the applications that need them and to the DBA’s network. Most real world problems involving this vulnerability involve people who chose to make MySQL accessible over the internet. Like RDP, there are almost no good reasons to do this … so don’t.

Last.fm leaks passwords

LinkedIn wasn’t the only major web presence with a security breach last week. Popular streaming music service, Last.fm, sent out emails this weekend to their 40+ million subscribers regarding a password breach and were quick to point out the breach only affected a “small fraction” of users and that “this follows recent password leaks on other sites …” I suppose if everyone else is doing it, you might as well join in on the fun!

As a Last.fm user, I received one of their customer emails. Unfortunately, it went straight to my Spam box and I didn’t see it until this morning. Here’s what it said:

Much like the LinkedIn breach, the same rules for changing your password that Josh outlined last week apply with Last.fm. In case you missed his post, read it here. Otherwise, here are Josh’s tips for creating a strong password:

  • Change your password to something random, long and complex… at least 20 characters.
  • Do not use this password anywhere else.
  • If you don’t remember these sorts of passwords easily, use a tool like KeePassLastPass or1Password.
  • If you are responsible for the security of others, get them to change their passwords too.

Isn’t that easy? Now go and change your Last.fm password and your LinkedIn one, too, if you haven’t already done so. And if you’re looking for love via eHarmony (data breach last Wednesday), change that password, as well!