Category Archives: Security

Windows Server 2003 – Four Months and Counting

Unless you’ve been living in a cave in the mountains for the last several months, you’re probably aware that Windows Server 2003 hits End of Life on July 14, 2015 – roughly four months from now. That means Microsoft will no longer develop or release security patches or fixes for the OS. You will no longer be able to call Microsoft for support if you have a problem with your 2003 server. Yet, astoundingly, only a few weeks ago Microsoft was estimating that there were still over 8 million 2003 servers in production.

Are some of them yours? If so, consider this: As Mike Boyle pointed out in his blog last October, you’re running a server OS that was released the year Facebook creator Mark Zuckerberg entered college; the year Wikipedia was launched; the year Myspace (remember them?) was founded; the year the Tampa Bay Buccaneers won the Super Bowl. Yes, it was that long ago.

Do you have to deal with HIPAA or PCI compliance? What would it mean to your organization if you didn’t pass your next audit? Because you probably won’t if you’re still running 2003 servers. And even if HIPAA or PCI aren’t an issue, what happens when (not if) the next big vulnerabilty is discovered and you have no way to patch for it?

Yes, I am trying to scare you – because this really is serious stuff, and if you don’t have a migration plan yet, you don’t have much time to assemble one. Please, let’s not allow this to become another “you can have it when you pry it from my cold dead hands” scenario like Windows XP. There really is too much at stake here. You can upgrade. You can move to the cloud. Or you can put your business as risk. It’s your call.

Seven Security Risks from Consumer-Grade File Sync Services

[The following is courtesy of Anchor - an eFolder company and a VirtualQube partner.]

Consumer-grade file sync solutions (referred to hereafter as “CGFS solutions” to conserve electrons) pose many challenges to businesses that care about control and visibility over company data. You may think that you have nothing to worry about in this area, but the odds are that if you have not provided your employees with an approved business-grade solution, you have multiple people using multiple file sync solutions that you don’t even know about. Here’s why that’s a problem:

  1. Data theft – Most of the problems with CGFS solutions emanate from a lack of oversight. Business owners are not privy to when an instance is installed, and are unable to control which employee devices can or cannot sync with a corporate PC. Use of CFGS solutions can open the door to company data being synced (without approval) across personal devices. These personal devices, which accompany employees on public transit, at coffee shops, and with friends, exponentially increase the chance of data being stolen or shared with the wrong parties.
  2. Data loss – Lacking visibility over the movement of files or file versions across end-points, CFGS solutions improperly backup (or do not backup at all) files that were modified on an employee device. If an end-point is compromised or lost, this lack of visibility can result in the inability to restore the most current version of a file…or any version for that matter.
  3. Corrupted data – In a study by CERN, silent data corruption was observed in 1 out of every 1500 files. While many businesses trust their cloud solution providers to make sure that stored data maintains its integrity year after year, most CGFS solutions don’t implement data integrity assurance systems to ensure that any bit-rot or corrupted data is replaced with a redundant copy of the original.
  4. Lawsuits – CGFS solutions give carte blanche power to end-users over the ability to permanently delete and share files. This can result in the permanent loss of critical business documents as well as the sharing of confidential information that can break privacy agreements in place with clients and third-parties.
  5. Compliance violations – Since CGFS solutions have loose (or non-existent) file retention and file access controls, you could be setting yourself up for a compliance violation. Many compliance policies require that files be held for a specific duration and only be accessed by certain people; in these cases, it is imperative to employ strict controls over how long files are kept and who can access them.
  6. Loss of accountability – Without detailed reports and alerts over system-level activity, CGFS solutions can result in loss of accountability over changes to user accounts, organizations, passwords, and other entities. If a malicious admin gains access to the system, hundreds of hours of configuration time can be undone if no alerting system is in place to notify other admins of these changes.
  7. Loss of file access – Consumer-grade solutions don’t track which users and machines touched a file and at which times. This can be a big problem if you’re trying to determine the events leading up to a file’s creation, modification, or deletion. Additionally, many solutions track and associate a small set of file events which can result in a broken access trail if a file is renamed, for example.

Consumer-grade file sync solutions pose many challenges to businesses that care about control and visibility over company data. Allowing employees to utilize CFGS solutions can lead to massive data leaks and security breaches.

Many companies have formal policies or discourage employees from using their own accounts. But while blacklisting common CFGS solutions may curtail the security risks in the short term, employees will ultimately find ways to get around company firewalls and restrictive policies that they feel interfere with their productivity.

The best way for business to handle this is to deploy a company-approved application that will allow IT to control the data, yet grants employees the access and functionality they feel they need to be productive.

The Great Superfishing Expedition of 2015

In a move that will probably end up in the top ten technology blunders of the year, Lenovo decided, starting in September 2014, to pre-install Superfish VisualDiscovery software on some of their PCs. (Fortunately for most of the readers of this blog, it appears that it was primarily the consumer products that were affected, not the business products.) The “visual search” concept behind Superfish is interesting – the intent is that a user could hover over a picture in their browser, and Superfish would pop up links to shopping sites that sell the item in the picture. I could see where that would be some pretty cool functionality…if the user wanted that functionality, if the user intentionally installed the software, and if the user could easily turn the functionality on and off as desired. But that’s not what happened – and here’s why it’s a big problem.

In order to perform this function when a user has an SSL-encrypted connection to a Web site, Superfish has to insert itself into the middle of that encrypted connection. It has to intercept the data coming from the shopping site, decrypt it, and then re-encrypt it before sending it on to the browser. Security geeks have a term for this – it’s called a “man-in-the-middle attack,” and it’s not something you want to willingly allow on your PC. In order to do this, Superfish installs a self-signed trusted root certificate on the PC. That means Superfish has the same level of trust as, say, the VeriSign trusted root certificate that Microsoft bakes into your Operating System so you can safely interact with all the Web sites out there that have VeriSign certificates on them…for example, your banking institution, as most financial institutions I’ve seen use VeriSign certificates on their Web banking sites. (Are you frightened yet?)

But that’s not all. Superfish installs the same root certificate on every PC that it gets installed on. And it turns out that it’s not technically difficult to recover the private encryption key from the Superfish software. That means that an attacker could generate an SSL certificate for any Web site that would be trusted by any system that has the Superfish software installed. In other words, you could be lured to a Web site that impersonated your bank, or a favorite shopping site, and you would get no security warning from your browser. You try to authenticate, and now the bad guys have your user credentials. (How about now?)

Hopefully, you’re at least frightened enough to check to see if your system was one of the ones that Lenovo shipped with Superfish pre-installed. You can find that list at http://news.lenovo.com/article_display.cfm?article_id=1929. Again, it appears that the majority of the Lenovo systems on the list were consumer models, not business models. If you are one of the unlucky ones, you can find an uninstall tool at http://support.lenovo.com/us/en/product_security/superfish_uninstall

You should also note that security experts are divided as to whether simply running uninstall tools and deleting the root certificate are sufficient. Some have recommended a new, clean installation of Windows as the safest thing to do. Unfortunately, this may require you to purchase a new copy of Windows if you don’t have one lying around…as just re-installing from whatever recovery media may have come with your new PC will probably also re-install Superfish.

Meanwhile, Lenovo has stopped pre-installing Superfish, and is doing its best to control the damage to its brand. We wish them the best of luck with that – from what we’ve seen, they make some great products…and at least one really bad decision…

What’s Your Password?

Earlier this month, we posted a couple of articles on the state of cyber security. Of course, one of the biggest problems with cyber security is that too many people don’t take it seriously enough. Don’t believe me? Take a look at this:

In the words of cartoonist Walt Kelly (on Earth Day in 1971): “We have met the enemy and he is us.”

The State of Cyber Security

As we move into 2015, it’s appropriate to look back and think about what we’ve learned about the threat landscape. To that end, CheckPoint’s 2014 Security Report makes for some pretty interesting reading.

According to their research, in a typical large enterprise:

  • Every 1 minute a host accesses a malicious Web site
  • Every 3 minutes a bot is communicating with its command and control center
  • Every 9 minutes a high risk application is being used
  • Every 10 minutes a known malware is being downloaded
  • Every 27 minutes an unknown malware is being downloaded
  • Every 49 minutes sensitive data is sent outside the organization
  • Every 24 hours a host is infected with a bot.

If you’re an SMB rather than a large enterprise, it doesn’t mean you’re off the hook, it just means that you may have a bit more time before the law of averages catches up with you.

Why does this happen? It’s not because your users are stupid, and (in most cases) it isn’t because they’re malicious. It’s because they’re not IT security professionals, and they’re busy trying to do whatever it is that you hired them to do. When a windows pops up with an “OK” button in it, many of them will reflexively click “OK” without realizing exactly what they just agreed to. (And it may have been permission to install malware on their system.) Busy people also often think nothing of opening a file attachment that arrives by email, not realizing that more than two-thirds of malware-infected files are either PDFs, archive files (e.g., ZIP, tar, RAR, CAB, etc.), or MS Office files (typically Word and Excel, sometimes PowerPoint as well). People who are enticed to visit a compromised Web site, and who are then prompted to install an updated video driver in order to view the Web site content, will often approve it without thinking that what they’re installing might not be a video driver at all.

It also happens because, in the continuing arms race between malware writers and security software vendors, the malware writers are getting better at evolving their malware to avoid detection by existing products – typically giving them a 2 to 3 day window of opportunity to exploit systems before the malware is detected, security definitions are updated, and security software is able to detect and block it. And with today’s do-it-yourself malware toolkits, you don’t have to be a sophisticated code jockey to generate a new malware variant. Modern security software typically includes algorithms that look for suspicious behavior in order to try to block unknown malware, but according to CheckPoint, less than 10% of antivirus engines were capable of detecting new malware variants when they were first caught in the wild.

So, in the words of the 1965 “Total” cereal commercial, “What’s a mother to do?”

First of all, you should have a written security policy, and make sure that all of your employees have a copy of it, and sign off on a statement that they have read it and understand it. That way you know that (at least once) they’ve had to give some thought to security and what they are expected to do (and not do). Also, if you ever have to take disciplinary action against an employee, you’ve protected yourself against the “Wait, I didn’t know I wasn’t supposed to…” argument. If you need assistance in crafting a security policy, contact us. It isn’t that difficult, and there are readily-available templates that can be easily modified to adapt to most organizations’ needs.

Second, use a defense-in-depth strategy. A small or mid-sized organization may not be able to afford the sophisticated network intrusion detection/prevention systems that large enterprises deploy, but a good firewall appliance (like the latest WatchGuard models) can provide a layer of virus filtering, outbound URL filtering, and intrusion prevention right at the network boundary. A third-party email filtering service such as the Mimecast service that we offer with all of our hosted Exchange plans can provide yet another layer of malware filtering using multiple anti-virus engines, as well as outbound content filtering to help prevent “data leakage” from your organization. And, of course, it is still important to have anti-virus software on your servers and workstations.

Third, insure that you have a vulnerability management and patching process in place for applications (e.g., Office apps, Java, Adobe Flash, Acrobat, etc.) as well as server and workstation Operating Systems. If your business is very small, and you can’t afford to hire someone like us to manage this for you, make sure that systems and applications are set to update automatically. Yes, occasionally Microsoft has released a patch that has broken something. But your chances of getting bitten by something like that are smaller than your chances of falling victim to an exploit if your systems are several months out of date because you didn’t have time to test and apply all the patches as they were released.

Fourth, consider blocking high-risk applications. For example, WatchGuard’s Application Control functionality can give you granular control over social media applications, instant messaging applications, and file sharing applications (e.g., DropBox, P2P apps like BitTorrent, etc.). You can selectively allow, block, or restrict access based on a user’s department, job function, and time of day – and generate usage reports so you know what applications are being run on your network, and by whom.

Fifth, ask yourself whether your users really need local admin rights to their workstations. Remember that if users have the rights to install software on their own PCs, and they inadvertently approve the installation of something that turns out to be malware, the malware is going to be installed. There are some utilities out there that can help, like CryptoPrevent from the folks at Foolish IT, which, among other things, can prevent disguised executables (e.g., mymalware.pdf.exe) from running, and prevent executables from running if they’re in folders that you wouldn’t normally expect executables to be in, but once you’ve given users local admin rights, it’s no longer possible to guarantee that they won’t shoot themselves in the foot.

Finally, talk to your employees regularly about security, so they understand the risks posed by certain applications – and understand why certain things are blocked or prohibited. Remind them about the things to look for that might tip them off that an email message may not be legitimate. Remind them not to open file attachments that they were not expecting to receive. A lot of security breaches are caused by simple human error – and people need to be reminded more than once, simply because they get busy and forget.

Here’s to a safe and prosperous 2015!