Blog: IT Security Alerts

A report of two new vulnerabilities named Meltdown and Spectre was published last Wednesday, January 3, 2018. It is a big deal because they are hardware vulnerabilities affecting pretty much everything with a silicon chip. Yes, this means microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Currently, mitigation and recommended processes are in flux. New information, articles, and white papers have emerged daily over the last week. As you research these concerns, be sure you are referencing reputable sources and the information is up-to-date.

For now, the tricky part is that some of the early updates aimed at mitigating the vulnerabilities have yielded incompatibilities which might leave systems inoperable. (The fix might break things.) Please be cautious. Verify and test updates before installation.

The Vulnerabilities

If exploited, both vulnerabilities, which are classified as speculative execution vulnerabilities, allow unauthorized access to protected areas of memory which could allow an attacker to collect sensitive information such as passwords and nonpublic customer information.

  • Meltdown - allows unauthorized access to memory, including protected kernel memory. Affects almost all Intel processors manufactured since 1995 and some ARM processors.
  • Spectre - allows unauthorized access to memory used by other computer processes. Affects almost all processors. It has been verified on Intel, AMD, and ARM processors.

Mitigation

As the IT industry moves to mitigate these vulnerabilities, incompatibilities which can render systems unusable have occurred. It is of utmost importance to verify and test updates before installation. Prudently pursue and ensure the following security processes are working effectively within your organization (these are already standard elements of strong security cultures):

  • Installation of security software updates - antivirus software, endpoint security software, etc.
  • Installation of operating system (OS) updates - Microsoft Windows, Linux, Mac OS, iPhone, Android, etc.
  • Installation of web browser updates - Microsoft Edge/Internet Explorer, Google Chrome, Mozilla Firefox, etc.
  • Installation of firmware updates for microprocessors - BIOS updates issued by computer system manufactures - Dell, Lenovo, HP, Apple, etc.
  • Prevention of malicious code execution - website blocking, website ad-blocking, phishing detection, security awareness training for users (how to spot malicious emails, not to click on links in emails), etc.

Exploits of these vulnerabilities are likely to change over time and the controls issued by hardware and software manufactures are likely to change as well. Therefore, it will be important to ensure updates are installed regularly.

 

Additional information provided by the researchers who discovered both vulnerabilities can be found at https://meltdownattack.com/.


 

The Equifax data breach announced yesterday potentially affects 143 million U.S. consumers and is one of the largest breaches of personal information. The following steps can be taken by consumers to help protect against fraud and identity theft:

  1. Enroll in the free security services offered by Equifax - https://trustedidpremier.com/eligibility/eligibility.html
  2. Place a security freeze on your credit file with each of the credit bureaus
  3. Monitor your financial accounts for unauthorized activity and report unauthorized activity immediately
  4. Obtain a copy of your credit report, review it for unauthorized activity, and report unauthorized activity immediately - www.annualcreditreport.com
  5. Set up alerts on your debit and credit accounts to notify you of transactions, changes to your account, or other alerts offered by your financial institution

Additional details:

 The credit reporting bureau, Equifax, reported yesterday that they have been compromised. Non-public information affecting potentially 143 million U.S. consumers was stolen, primarily consisting of names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license numbers. Additionally, credit card numbers for approx. 209,000 U.S. consumers and dispute documents for approx. 182,000 U.S. consumers were accessed. Further details from Equifax can be found here:

For information from a source independent of Equifax, Brian Krebs' coverage can be found here - https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/.

Additional information about the steps consumers can take to protect against fraud and identity theft:


 

An outbreak of the WCry (also known as WannaCry/WanaCrypt0r) ransomware began to be reported May 12, 2017. The attack was worldwide and deemed by some as “the biggest ransomware outbreak in history.”

The goal of the attack, like all ransomware, is to encrypt computer files making them unavailable to the computer user. A payment is required to get the key which unlocks the files.

The ransomware was discovered in early February 2017, but was recently updated and began spreading quickly. It is delivered via a phishing email. When downloaded it exploits an SMB vulnerability (Small Message Block is a file sharing protocol used by Windows operating systems). The vulnerability was addressed in March 2017 by Microsoft Security Bulletin MS17-010. WCry will use unpatched SMB to spread payloads to vulnerable machines on the same network and to randomly choose IP addresses on external networks.

If Windows systems are patched, in accordance with MS17-010, the SMB vulnerability is resolved and the systems are not vulnerable. 

CoNetrix Technology customers with Network Advantage managed service agreements were automatically updated in March 2017 when this patch was initially released.

CoNetrix recommends that all customers verify this update is installed as soon as possible.

 


 

 

 

CoNetrix Website | Contact Information

Cisco Hardware Issue with Clock Signal Component

 

On February 2, Cisco released information about an issue affecting many of their hardware systems. This issue may cause eventual hardware failure on specific models and hardware versions after 18 months or longer.

The most common affected systems include ASA 5506, 5508, 5516 firewalls, and 4321, 4331, and 4351 routers.

Details about the issue with a complete list of affected hardware is available at http://www.cisco.com/c/en/us/support/web/clock-signal.html. The "Field Notices" tab contains links to the specific hardware.

For CoNetrix Technology customers, we are currently reviewing all documentation to determine those customers with affected hardware. We will contact those customers when additional action is needed.

Other CoNetrix customers should review their installed Cisco hardware or contact their IT service provider as soon as possible.

CoNetrix Technology customers can contact Support at 806-687-8600 or support@conetrix.com with any questions or concerns.

 

 

 


 

Researchers have reported a critical vulnerability in recent versions of OpenSSL which is used to secure numerous websites. This vulnerability has been assigned CVE identifier CVE-2014-0160 and is also known as the “Heartbleed Bug.” Exploitation can expose a website's secret keys, usernames and passwords of site users as well as other confidential information. [more]

This affects systems using OpenSSL versions 1.0.1 through 1.0.1f. Note this also includes numerous appliances used to terminate SSL connections used in Virtual Private Networks, secure email solutions, etc. Thus, even if you are only using unaffected Microsoft web servers, you may need to address these other types of appliances and embedded systems.

The Qualys SSL Labs scanning service available at https://www.ssllabs.com/ssltest/ can be used to determine if a particular site exhibits this vulnerability.

Additional information is available at http://heartbleed.com.

We recommend you work with appropriate vendors to identify vulnerable systems and apply the appropriate patches as soon as possible.


 

The Federal Financial Institutions Examination Council (FFIEC) issued statements today notifying financial institutions of the risks associated with cyber-attacks on Automated Teller Machines (ATM) and car authorization systems and the continued distributed denial of service (DDoS) attacks. [more]

To read the Press Release, visit http://www.ffiec.gov/press/pr040214.htm

To view the Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems, visit http://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf

To view the Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, visit http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf


 

The Federal Financial Institutions Examination Council (FFIEC) jointly issued a statement to alert financial institutions Microsoft will discontinue extended support for Windows XP effective April 8, 2014.  After this date, Microsoft will no longer provide secruity patches or support for the Windows XP Operating System.  To read the Joint Statement, visit http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf 

 

I have received 4 or 5 email this week from a phishing scam that claims that one of my ACH transactions was recently cancelled. These emails are getting through the filters and landing in my Inbox. If you or anyone you know gets an email similar to the one below, delete it. I have modified the link in the email below so it won’t work, but you can still see where it was trying to go.

One indication the emails are fake – they purport to come from NACHA, the National ACH Association. However, NACHA does not deal directly with consumers or individual transactions.

If you know someone who works with payroll, purchasing, paying bills, etc., you should warn them about these emails. They are targeting people who work with online ACH transactions. Imagine the horror if the person responsible for payroll at a company received an email saying, “ACH Payroll Cancelled”. They would be very likely to click on the link first and think about security later. [more]

From: admin@nacha.org 
Sent: Friday, September 16, 2011 8:07 AM
To: You
Subject: ACH Payroll Cancelled

 
The ACH Payroll transaction (ID: 2150243623890),
recently initiated from your operating account (by your company), was rejected by the other financial institution.


Cancelled transaction

Transaction ID: 2150243623890
Reason for rejection: See details in the report below
Transaction Report: report_2150243623890.pdf.zip (self-extracting archive, Adobe PDF)

Note:
If you are sure that this email was delivered to you by mistake, please redirect it to your director or accountant.


..
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100 2011 NACHA - The Electronic Payment Association


 

An issue has been identified in the Symantec Endpoint Protection Manager (SEPM) which causes Security Content newer than 12/31/2009 11:59 PM to be considered older than content previous to that date/time. As a temporary workaround, Symantec is currently not incrementing the date on Symantec Endpoint Protection (SEP) Security Content and instead is only incrementing the revision number of the content. A message from Symantec provides this more detailed explanation: "As of early Sunday, January 3, 2010, the Symantec Endpoint Protection antivirus definition version "12/31/2009 rev. 114" has been published. Rev 114 includes all the latest definitions through Jan-2-2010."

As of today, January 5, 2010, CoNetrix definitions are showing a revision number of 116. The revision number should continue to increase as evidence of ongoing updates. [more]

This issue has been identified in the Symantec Endpoint Protection Manager (SEPM) and effects the following products:

  • Symantec Endpoint Protection v11.x Product Line
  • Symantec Endpoint Protection Small Business Edition v12.x Product Line
  • Products which rely on Symantec Endpoint Protection for definition updates (e.g. Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino)

There are no required customer actions for this issue. More specifically, there are no changes an administrator needs to apply in order for the above mitigation to be successful.

For more information, see the following Symantec Knowledge Base article: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348


 

Many people received a phishing e-mail with the Subject "FDIC has officially named your bank a failed bank" yesterday appearing to come from the FDIC.  The text from the fraudulent e-mail would appear something like:

You have received this message because you are a holder of a FDIC-insured bank account.
Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.

You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:
  • Visit FDIC website: (a fraudulent link was provided here)
  • Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage

It appears this is a new phishing attack where the intent is to attempt to collect personal or confidential inforamtion.  Recipients of this e-mail should be warned of its nature and encouranged NOT to follow any of the links from the e-mail.

Here is the link to the FDIC Consumer Alert published October 26, 2009 - http://www.fdic.gov/consumers/consumer/alerts/