Webinar Recording – An Introduction to Enterprise Mobility + Security (EMS)

I recently presented a webinar, hosted by my employer MicroWarehouse, on an introduction to Microsoft EMS. The timing worked out pretty sweetly – Microsoft had just announced:

  • The renaming of EMS from Enterprise Mobility Suite to Enterprise Mobility + Security, emphasising that security is most of what EMS does.
  • The new E5 EMS bundle that will be released in Q4 of 2016.

image

We have posted the recording of the session on learn.mwh.ie, along with the PowerPoint deck, and some follow up links for reading and learning. EMS is a great suite to learn about, and a great package to consider adopting for securing the endpoints (devices and users) against attack. And you’d be amazed how often the elements of EMS are the answers to security questions.

Speaking of security, our next webinar is coming on July 21st at 2PM UK/Irish time, 3PM CET or 9AM Eastern:

Technorati Tags: ,,,

Web Developers Are Anticipating Big Contracts – Java Is Dead!

Java was meant to be the foundation of a universal platform for all operating systems that would flatten applications and the Internet. It was meant to be great for all. But what Java accomplished was:

  • It was a platform of incompatibility. How many of us have dealt with users requiring 3-4 versions of Java and teaching “Hopeless John/Joan in Finance” how to switch between those versions, and getting at least 1 helpdesk call from him/her per day.
  • Becoming one of the most attacked products on the planet, thanks to it’s gaping holes and slow updates from Sun/Oracle.

So it was kind of funny that almost every Bank and every tax collection agency on the planet adopted Java as their required application runtime. Customers/tax payers around the world are running the ancient and vulnerable Java 4.x because the code requires it.

And this is why IT staffs hate, no … HATE Java.

Start partying … Oracle announced:

Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release.

In other words: JAVA IS DEAD!

Woooooooooohooooooooooooooooooooooooooooo!

Two groups will be delighted:

  • Web developers are anticipating Y2K fees from Banks and government finance departments who are now in a race against end of support.
  • IT pros who are anticipating the removal of Java hack-ware and helpdesk-ticket-ware.

Irish Government To Run Cyber Security Tests

According to Silicon Republic, the Irish government is to run some cyber war games to test their responses and resilience to digital attacks. 

That’ll be interesting; a few years ago the Irish government decided to implement a very unpopular and ineffective DNS-based copyright (and potentially censoring) system that drew the attention of a certain Guy-Fawkes-mask wearing hacktivist group.  In no time at all the hackers posted admin passwords from the Department of Foreign Affairs (DFA), a group you’d expect to have superior security.  I saw the list, and it was not much better than “Monkey” or “Password1” … actually “Password1” might have been one of them!

Hopefully the results of the tests will result in real changes to practices and design.  I’m sceptical; I reckon tests/results will be moulded to minimise “bad results” and a knock on image.  Plus an admin who uses “Password1” in a so-called-secure environment is the sort who won’t want to change. 

Folks from efficient countries will think I’m being a cynic – people who live in Ireland know exactly what I mean (e-voting machines where the admin password was in the publicly available help button, a 10 year SAP project that exceeds departmental budgets, digital ticketing for public transport that makes us want to use paper stripe cards like most Euro cities, and so on).

Technorati Tags:

Bank of Ireland’s Stupid Phishing Phone Calls

This afternoon I got a phone call from a -blocked- phone number.  I answered.  The person who called said he was calling me from Bank of Ireland.  I got the usual “the call is being recording for training purposes” speech.  And then the shocker:

“I need to ask you some security questions”.

Huh?

  1. This person called me.  I assume he got my number from a database.  OK, my phone could have been stolen.  But let’s remember that he called me.
  2. He was going to ask me the security questions?

Who the hell was he?  This could be any geezer with caller ID disabled on his phone and reading off an official sounding script.  Let’s imagine he asks me to confirm my date-of-birth, my credit card number, and my mother’s maiden name, etc.  What’s to stop that dude from calling the bank and claiming to be me?

I refused to proceed.  To be honest, I knew it was BoI and I knew why he was calling.  But I wanted to highlight how stupid this “phishing” practice was.  The guy in question understood and told me how I could contact the bank to proceed.  He was quite professional about it, and not to blame for the process he was force to follow by his employer/manager.

But the call from block number practice followed by asking security questions process is ridiculous.  I took to Twitter to let BoI know what I thought:

image

This is the response that I got:

image

So let’s imagine the scenario out:

  1. The Prince of Abuja picks up his phone, blocks caller ID, and calls me.  He reads out the “call is being recorded” script and starts out with the security question process.
  2. I stop him because I don’t want my security question answers to be phished.
  3. The Prince of Abuja now says “Sure, my name is Prince of Abuja and you can call me on 01 4567890 and I’ll be happy to help you”
  4. I call 01 4567890
  5. The Prince of Abuja now asks me the questions and I give him the answers
  6. Now the Prince of Abuja has the necessary information to call Bank of Ireland and pretend to be me.

Bank of Ireland, this is the most ridiculous “security” practice.  It’s clear that you don’t have the first clue about data or identity security.  I am not a real security expert but I know enough not to be sharing information in this manner.

Jeez!

Technorati Tags:

Microsoft Security Intelligence Report – H1 2012

Volume 13 (Jan-June 2012) of the Microsoft SIR has been released.  Last year I read the same one, and Conficker was still the number 1 malware on domain-joined computers.  What nuggets are there this year?

Before we get there …

I heard of another report (Symantec I think) that a new kind of attack is being employed by hackers called a “water-hole attack”. Much like Lions on the plains, the hackers lie in wait at locations where their prey comes to get something. So they deliberately place targeted malware on a site that they know their intended victim will visit, and wait.  And eventually *bang* they hit and take over a machine in the networks of their victim.  It’s more efficient than the normal un-targeted drive-by attack.

Hackers are also now attacking the supply chains of their prey.  This is a good approach if you wanted to cripple a manufacturer, e.g. hit their suppliers so the manufacturer cannot produce.  This is very effective now because of Just-in-Time manufacturing and exclusive supply contracts. The real victim (the manufacturer) can do nothing with their own IT security to defend against this.  The only solutions are business ones: demand high levels of security/compliance in suppliers, and have varied supply chains so one down supplier does not shut down the business.

And back to the main event …

Unsecure Supply Chains

There is a rise in malware being spread by BitTorrent, warez, legit website downloads, etc. The rise in BYOD and consumerisation of IT makes this a threat in the business. Users are downloading software outside of the traditional locked down administrator-driven controls, and they are bringing in malware.

Win32/Keygen is a common threat in this space, and the name gives away what it sells itself as – a quick way to activate software that you haven’t bought or can’t find a product key for: Photoshop, Nero, AutoCAD, Call of Duty, etc.  Some “Adobe Flash” installers were also found with malware.  These were non legit installers hosted on 3rd party sites; the user comes to a site that won’t play and they’re told to install an up to date version of Flash.  They do, and their PC is owned, because that was not the official installer from the Adobe site.

Contrary to many misconceptions, no malware can offer 100% protection anymore.  There are just too many attacks, many of which go unreported for very long times thanks to the new zero-day black markets and their “royalty for staying quiet” payment schemes.  The days of the teenager in the basement are over, and this stuff is very professional now, looking to steal confidential data and financial access.

What can help is a well designed BYOD scheme with isolation.  I like the App Catalog in ConfigMgr 2012.  It gives the user the flexibility of BYOD but on a corporate machine.  As for true, BYPD personally owned devices, you have to treat those as untrusted and not let them all the way in, in my opinion.  Windows To Go is a nice touch, allowing the user to use their own device but they must use a Windows 8 image on a USB 3.0 storage device that is provided and managed by the business.

This kind of malware is a real threat in BYOD deployments.  Isolate those machines and only give them limited access to web apps via firewalls is my thinking.  But I can see how that’s not enough, e.g. key loggers.

Microsoft has a few suggestions:

  • Acceptable usage policies: sorry, but users are stupid (rule #1) and rules are made to be broken.  We all know that IT only creates these policies to make life more intolerable anyway – that was sarcasm, by the way.  Blocking and limited rights are the only way forward.
  • Block P2P: That goes without saying for LAN/Internet access but is a challenge for mobile computing, without expensive 3rd party software
  • Procurement: Buy all hardware and image for the users … hmm
  • Use AppLocker: Software Assurance required for this white listing solution on Windows 7/8 Enterprise
  • Use a 64-bit OS: Not a solution but it appears to limit success of attacks.

Windows To Go or RDS/Citrix seems like the solution for BYOD to me.  Let them use the device of their choice, but not the OS/data on that machine.

Disclosed Vulnerabilities

This refers to the number of industry revealed weaknesses in software.  There had been a trend where this number was dropping from 2009 to 2011, but we see a rise in 2012, across low, medium, and high risk threats.  50% of threats in H1 2012 where medium and 31.5% were high risk.

OS vulnerabilities have been dropping since 2010 and continue to do so.  Browser vulnerabilities (industry wide) have been rising since 2009.  Application (e.g. Flash and Java) have risen drastically in H1 2012.  Note that the rise affects non-Microsoft products, while Microsoft vulnerabilities have been reducing in number since H2 2010 (down 56.1%).

image

Exploits

HTML/Javascript (dropping in this period) and Java (rising since Q3 2011) lead the way, by a long shot.

image

Java has made a lot of bad security headlines in recent months and you can see why this is a concern.  This is compounded by Oracle’s infrequent releases and their intransigence on this matter until the media as a whole said that Java needed to be turned off or removed.

Documents were the number 3 type to be hit.  Guess who cam in at number 1 with no one in the rear mirror?  You guessed it: Adobe Reader and Acrobat.

As for OS being attacked, Windows was the clear number 1, as it should be because it is on 95% of all PCs after all.  Android is number 2.  Apple are barely a spec on the market and were just bundled into the flat Others category.

The number 1 most attacked vulnerability was the 2 year old (August 2010) MS10-46 (made famous by Stuxnet but Ramnit is the #1 threat [and rising]). 

Turns out that some of the jailbreak solutions for Android contain malware.  Not too surprising, really.

Security Update Maintenance

No surprises here unfortunately:

image

Windows is still not being updated.  I still encounter reasonably large organisations that “manually” approve patches.  If you attend any presentation that I do that includes the topic of patching, then you know that manual approval is an oxymoron.  These are usually the same people that have been hit by Conficker, etc, years after the patch to block it is released.  That’s professional negligence in my opinion, pure and simple.

The lack of compliance for Adobe and Java is far some surprising.  28% percent of Adobe Reader users had not updated in 2 years.  Adobe needs to do more to work with the OS vendors to get their products updated.  And we all know that Java apps are usually written to run on a specific 5 year old version of the runtime, and that’s usually government (taxation) or banking software … you know … the stuff that needs the best security?!?!?!

Geography

Infection rates (FakePav fake malware – detections up 45 times) went up by 32.6% in the USA during Q1 and Q2 of 2012.  Similar with Korea (Pluzoks trojan).  Chine has a slight increase and everyone else was down. 

Successful infection rates are rocketing in Korea.  I mean rocketing.

Operating System

Windows XP SP3 leads the way.  Windows 7 SP1 x86 is half of that rate, and the x64 is one third of it.  Adware is dropping since Q1 2011 but Trojans are on the rise since Q2 2011.

Business Versus Home PCs

A Javascript threat called IframeRef number one threat on domain-joined (business) PCs.  Here is the bit that is the most sickening and annoying of all.  Conficker is still the number 2 threat on business machines.  Seriously!?!?!!?  The patch (MS08-067) to prevent this was released in October 2008 … 4 frakking years ago!  Why the hell are businesses not patching?  The tools have been freely available since … jeez 2003 or something when SUS was released!?!?!  There is absolutely no legitimate excuse for this … don’t bother posting any lame excuses you might have to excuse your lack of professionalism if this applies to you; you’ll only highlight you own deficiencies for the world to see.

On the home side, Conficker is not in the top 10.  KeyGen is the #1 and Autorun is #2.

Phishing Sites

Remember I said these guys want to steal money?  All categories (including social media) are down, except for financial phishing (fake emails from your bank saying you need to log in to a dodgy site) are on the increase in Q2 2012.  USA, Ireland, China, east Africa, south Gulf, and southeast Asia are all hotspots for this activity.

Go have a read of the document for yourself, especially if you are involved in the decision making of IT security or engineering in your site or those of your customers.  It’s useful to see what’s going on right now so you can plan accordingly.

Technorati Tags:

Microsoft Discontinues A Number Of Forefront Products

It was generally known on the Internet that something was up; Forefront Threat Management Gateway (TMG) was considered by many (on forums and blogs) as walking dead.  People knew it was just a matter of time that an announcement would come.  And so it did yesterday, but I did not expect the actual breadth of the announcement.  The following products will no longer be available after December 1st, 2012:

User Access Gateway continues; it’s been used by people who have deployed W2008 R2 Direct Access so that they don’t have to deploy IPv6 on the LAN.  It’s only a matter of time, because that functionality has been put in WS2012 Direct Access, meaning that UAG won’t be required for current version DA deployments.

Forefront Identity Manager apparently has a roadmap and will “continue to be actively developed”.

The produce formerly known as Forefront Endpoint Protection (the client and server file system/memory AV scanner) was moved to System Center with the release of SysCtr 2012 because of the reliance on Configuration Manager as the management console (also can use Intune).  The definition updates are common across versions so updates will continue.

What about anti-malware protection for Exchange?  Here’s what Microsoft had to say:

As part of this effort, the next release of Forefront Online Protection for Exchange, which has long been part of the Office 365 solution, will be named Exchange Online Protection. 

In response to customer demand, we are adding basic antimalware protection to Exchange Server 2013.  This protection can be easily turned off, replaced, or paired with other services (like Exchange Online Protection) to provide a layered defense.

Forefront Online Protection is the cloud based product; think Postini or MessageLabs, but run by Microsoft for Exchange.  Anyone planning on running Exchange 2010 or older will not have an on-premises defence for Exchange after December 1st (see FPE in the above table).  If you want on-site Exchange protection, you’ll have to look at 3rd party Exchange security solutions, otherwise upgrade to Exchange 2013 for “basic antimalware protection”.  I’ve been recommending online and onsite protection – onsite protection defends against “internal” threats such as roaming or remote workers.

Technorati Tags: ,,

Want To End Your IT Career? Then Recommend Java!

I hate Java.  There, I said it.  Any IT pro who has had to support multiple versions of this malware breeding ground knows that Java is a complete nightmare.  I detested dealing with Java when I was an administrator/engineer.  Well, the chickens have come home to roost for Oracle.

A commercially available attack hacker toolkit called Blackhole includes the ability to attack the latest version of Oracle Java on all platforms, including Windows, Mac OS, and Linux.  Attacks are already in the wild.  These drive-by attacks silently attack the Java VM when a user browses the web site, leaving the machine vulnerable to being taken over.

If you want to find out if your version of Java is vulnerable to any security flaws then you can check it on this website.  I can save you a mouse click: your Java is vulnerable because … all versions of Java are vulnerable:

“Oracle knew about zero-day Java vulnerabilities for months, researcher says” according to Computerworld.  I read on The Register that claims Oracle has known about the vulnerabilities since April.  Oracle are sticking silently to their patching schedule, and won’t patch the vulnerabilities until mid October.  That’s responsible of Oracle, eh? Not!

So with no patch to secure Java (there’s an impossibility!), security experts are recommending that you disable Java in your browser.  I’d go one step further: uninstall the sh1te and find alternative applications/banks that understand the need for security.  Anyone who continues to recommend or sell Java based apps should be ignored, fired, thrown off of a cliff (joking about the last action … I think).

Edit#1

For your Java fans, why don’t you read this and this:

“The most commonly observed types of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters” – A report in 2011.

As for Microsoft software having vulnerabilities; yes – any large software does, including Linux, Andoid and Mac OS.  You’re a naive moron if you think otherwise.  Where Microsoft rises above the competition is that they deal with the issues as they arise, release patches, and scream from the mountain tops to get you to patch.  They even give you simple free, and enterprise tools to automate this.  But naive morons don’t want to listen because they have their heads up their asses:

  • 23/09/2008: Microsoft released a security patch that would have prevented Conficker
  • 24/11/2008: Conficker is first discovered 1 month after Microsoft released the patch
  • Mid-2011: Conficker is still the #1 malware present on domain-joined (business) PCs, thanks to the naive, professionally negligent, morons who think they know better

Check yourself and your facts before you fire out stupid comments about Microsoft just cos you’ve gotten into bed with a malware breeding ground like Java.

EDIT#2

Oracle has since released an update.  I don’t have Java on my machines so I can’t tell you anything more about it.  I believe the Java updater only looks for updates once per month.

Technorati Tags:

Once You Go BYOD, What Happens To Information Security?

I just glimpsed at a post on NetworkWorld called Email in security hot seat with rise of cloud, BYOD.  In it I saw this piece of text:

IBM famously issued a new set of BYOD policies that, among other things, forbid employees to use a competitor’s cloud service (no more Dropbox, no more Carbonite, iCloud, etc.), to forward corporate email to private accounts, to transmit unencrypted data, or to use Apple’s personal assistant, Siri.

I’ve talked about BYOD now and then for quite a while.  I’ve not made up my mind on it yet.  BYOD has a lot of complexities in terms of technical support, security, compliance, and so on.  Once you put the user in control of choosing a device (a €300 laptop not build for heavy usage versus a proper business machine with support) and managing that device, you lose control.

But here’s my thought’s on the above IBM rule. You’ve put the user in charge.  Users have no interest in rules.  Put all you want in the acceptable usage rights document.  The first people to contravene those rules will be the executives who wanted them put in place.  With BOYD you have ceded control and accepted the premise that the user knows best how they should work.  If that user thinks that DropBox is the best way to get data off of their iPad and onto their PC then that’s what they’ll use (what other choice have they?).  If they want to back up their work then Carbonite is nice an cheap.  If they want to use an iPhone 4s then they’re not going to not use Siri (“This is your reminder to call the vet”), the most marketed feature of the phone.

Rules like this are the lawyers’ answer but don’t deal with the realities of human nature.  The reason IT did lock down PCs was to protect the business’s information property.  With BYOD, you hope that they don’t send stuff all over, that they do install the app that allows remove lockdown and secure wipe, and that they act responsibly.  But hey, these are the same people that will handover their corporate passwords for a free pen in the street outside their office.

Technorati Tags:

Hyper-V Is NOT Affected By VU#649219 VM “Break Out”

It was reported by the media earlier this week that an issue on Intel based servers could lead to a “break out” from a VM to the host in certain virtualisation products, including Microsoft.  Obviously this would be a huge concern, especially in environments where security and isolation are an issue, e.g. public cloud/hosting.

I asked the Hyper-V product group if Hyper-V was actually affected.  They group allowed us to share that:

  • The problem does affect the 64-bit OS’s on Intel hardware, but Hyper-V is not affected.
  • This problem will not lead to break outs from Hyper-V VMs.
  • Windows 8/Server 2012 are not affected.

So that’s put that one to bed.

SYSRET 64-bit OS Privilege Escalation Vulnerability On Intel CPU Hardware

CERT reported that:

Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.

That last bit is the piece that should concern you. Microsoft responded with one of this month’s Patch Tuesday updates (thanks to Patrick Lownds for the link).  MS12-042 fixes this issue and is distributed through the normal Windows Updates catalogue.

An elevation of privilege vulnerability exists in the way that the Windows User Mode Scheduler handles system requests. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Mitigating factors for user mode scheduler memory corruption vulnerability:

  • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
  • This vulnerability only affects Intel x64-based versions of Windows 7 and Windows Server 2008 R2.
  • Systems with AMD or ARM-based CPUs are not affected by this vulnerability.

Update your servers, including Hyper-V hosts with this update.  System Center 2012 VMM will automate this for you if you have it and configured the updates feature.