Your <redacted> Server was found to be part of a network of compromised machines
leading a Distributed Denial-of-Service Attack (DDoS Attack) against other servers.

*******************************************************************************
IMPORTANT: In order to prevent further criminal activity from your <redacted> Server,
we have suspended access pending an investigation and resolution.
*******************************************************************************

The logs they sent me show UDP packets indicating that this could be part of a DNS amplification attack. Take a look:

Please see the firewall logs below for details:
1365103763.526228 IP xxx.xxx.111.16.44223 > xxx.xxx.149.195.80: UDP, length 1
1365103763.526232 IP xxx.xxx.111.16.44223 > xxx.xxx.149.195.80: UDP, length 1
1365103763.526234 IP xxx.xxx.111.16.44223 > xxx.xxx.149.195.80: UDP, length 1
1365103763.526236 IP xxx.xxx.111.16.44223 > xxx.xxx.149.195.80: UDP, length 1

That’s all I know for now. I have to contact the provider, open a window of time to gain access, and secure the server. I’ll keep you posted.

Skype faced a fairly serious security threat today [Nov. 14, 2012], thanks to a flaw in the system replicated by The Next Web that allowed people to sign up with email addresses already in use by other users and then force password resets for any accounts associated with those emails. Reset tokens could be delivered to the Skype client itself, meaning people didn’t need access to email accounts to reset passwords associated with them.

Very shortly after The Next Web notified Microsoft, the issue was fixed.

The flaw was actually more of a design issue than a security hole, according to Steve Gibson of Security Now! He discussed this flaw in Security Now! Episode #378:

Microsoft shut down the vulnerability, the aspect of vulnerability, which was password recovery. They took that part offline immediately, then looked at the problem, understood it, fixed it, and then brought password recovery back. So that’s what I mean by this being a design problem. As soon as someone told them, they’re like, oh, my god. And so it was easy to fix.

Interestingly enough, there are footnotes that apply to Windows Server 2008 and Windows Server 2008 R2 detailing whether or not the Server Core installation is affected:

*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option.

**Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option.

This tends to support some of the things I am hearing about Server Core being more secure than a full-blown GUI installation of the products. Here’s Microsoft’s take:

Reduced attack surface. Because Server Core has fewer system services running on it than a Full installation does, there’s less attack surface (that is, fewer possible vectors for malicious attacks on the server). This means that a Server Core installation is more secure than a similarly configured Full installation.

Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire? Or use a hijacked printer as a copy machine for criminals, making it easy to commit identity theft or even take control of entire networks that would otherwise be secure?

It’s not only possible, but likely, say researchers at Columbia University, who claim they’ve discovered a new class of computer security flaws that could impact millions of businesses, consumers, and even government agencies.

You can read the article and decide for yourself it this is a real threat or just sensational journalism. My take is that I’m not going to worry about it unless it starts happening in the wild. Naturally, HP responded and while I’m no HP apologist, I tend to view their stance as justified. You can read HP’s statement which leads with:

Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.

HP LaserJet printers have a hardware element called a “thermal breaker” that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.

While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall.

HP says it is working on a firmware upgrade to address the security vulnerability.

Microsoft is planning eight security updates next week – two critical – as part of its regular Patch Tuesday program.

The obvious highlight of the batch is a critical update for Internet Explorer that affects all supported versions of Microsoft’s ubiquitous web browser, including IE 9. The second critical update covers flaws in Microsoft .NET Framework and Microsoft Silverlight that create a possible mechanism for miscreants to inject hostile code onto vulnerable systems.

The bad news is that most of the updates will require system restarts. I suggest you set updates to manual on any application servers.

by thegeek » Tue Mar 15, 2011 8:48 pm

ozbloke wrote:Does Adobe Flash Player have the worst security record of all time??

Yes, even worse than Microsoft, if that’s even possible…

Has Adobe ever released a version of Flash Player that wasn’t riddled with vulnerabilities??

Not that I know of. I dumped all things Adobe a long time ago. Unfortunately, I can’t function without using the Flash player.

Adobe has just discovered a “critical vulnerability” in its Flash Player that has the potential to cause all kinds of trouble; the flaw could cause a user’s computer or mobile device to crash and, even more concerning, the vulnerability could “potentially allow an attacker to take control of the affected system.”

Not even remotely surprised.

The flaw affects Adobe Flash Player 10.2.152.33 and earlier versions of the platform running on every major operating system, including Windows, Macintosh, Linux, and Solaris. It’s also an issue on Android devices running Flash 10.1 and earlier. To date, Adobe has discovered that the vulnerability is being exploited in Flash files, as well as through Microsoft Excel but the issue hasn’t affected Reader or Acrobat.

Don’t get me started about Reader and Acrobat. Two of the crappiest programs ever made, if you ask me.

According to reports; Adobe plans to release a fix for the vulnerability sometime next week. Until then, the company has warned users to “follow security best practices by keeping their anti-malware software and definitions up to date.”………no sh*t Sherlock!!

Ya think?

Roll on HTML5!!!

It’s really unacceptable and unfortunate that Adobe has managed to get itself into a position of being the “standard” for Flash. We need a change, don’t we?

You might be thinking that this is no big deal; people can just change their passwords. That’s true. The problem is that many people– against my and countless other security advisers’ advice–use the same combination of user credentials across multiple sites. The only way to mitigate the risk in this case is to change credentials at every site and never use the same password more than once.

To make matters even worse, quite a few of the accounts used ridiculously simple passwords. You can find a list of the top 250 most commonly used passwords here, but in case you’re wondering, here is a list of the top 10:

 2516 123456
 2188 password
 1205 12345678
  696 qwerty
  498 abc123
  459 12345
  441 monkey
  413 111111
  385 consumer
  376 letmein

The significance of “monkey” escapes me, but I’ve seen the other ones used many times in my role as sys admin.

Here’s what Woody Leonhard of Windows Secrets recommends:

While perusing the list is entertaining, the important lesson here is about password use. For example, let’s say you posted a comment on Lifehacker a few years ago. To post the comment, you had to give an e-mail address and password — which, at this very moment, somebody might be decrypting. Now let’s say you’re sloppy and using the same password for PayPal you used for Lifehacker. If a cyber thief has the foresight to sign on to PayPal with your e-mail address and cracked password, you can kiss your PayPal balance good-bye.

If there’s the remotest chance you’ve posted a comment on Lifehacker.com or Gizmodo.com, go immediately to Duo Security’s “Did I get Gawkered” site and enter your e-mail address. If your name’s on the list, change your passwords!

To that, I would add, “and be sure they are strong passwords.”

Let’s say, for example, that you allow your employees to bring their laptops or other devices to the office and use them on your network. This puts you at risk in at least three ways:

1. You have no control over whether or not the employee is current will all security updates or AV updates. They could easily bring malware with them. Keeping systems fully patched is a first line of defense. Use network access control to make sure that any computer you allow on the network is fully patched.
2. A rogue application let loose on your network can degrade performance and cause no end of problems.
3. An infected thumb drive or other USB device completely bypasses your firewall and other filtering. Exercise some control over what’s allow to be plugged in. It’s easy enough to do.

Sophos has released a whitepaper that outlines at least eight threats that get past conventional AV. I suggest you check it out.

High-profile incidents that make big news might seem out of the ordinary. Yet businesses of every size face similar risks in the everyday acts of using digital technology and the internet for legitimate purposes. This paper outlines eight common threats that traditional anti-virus alone won’t stop, and explains how to protect your organization using endpoint security.

Stuxnet was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes. According to a PC World report, “… Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran’s Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm’s attack.”

See Microsoft Security Bulletin Advance Notification for October 2010.

I'm fed up with Adobe!

There are those of us who haven’t used Adobe’s Acrobat Reader in years, choosing alternatives like the free FoxIt Reader, or Open Source Xpdf instead. My reason at first was simply that Acroreader is bloatware, took forever to load and used up too much memory; these days, my reason includes the terribly insecure software Adobe insists on releasing. Unfortunately, it’s hard to get away from Flash on the web, but there is an alternative player/plugin that I’ll talk about in a moment. And here we go with business as usual:

Security Advisory for Flash Player

Release date: September 13, 2010
Vulnerability identifier: APSA10-03
CVE number: CVE-2010-2884
Platform: All

Summary

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We’ll have to wait until the week of September 27, 2010 for the Flash patch, and the week of October 4, 2010 for the Reader/Acrobat patches.

What can you do? Unless you absolutely have to have Reader/Acrobat for some reason, switch to an alternative such as one of those I mentioned above. FoxIt Reader integrates nicely with Firefox. There’s another FF add-on that’s an alternative to Adobe: gPDF is a handy tool to view PDF, DOC, DOCX and PPT files online, using Google’s Docs Viewer.

Next, disable Shockwave Flash plugin. Download and install Swiff Player (current version 1.7), a Free stand-alone player that enables web designers and Flash users to easily play Flash movies. When you install it, it also becomes the default player for .swf files on the web. Sweet, eh? Swiff Player is very fast, too. This won’t eliminate Flash (Swiff Player requires it), so I’m not sure exactly what is gained, but it’s an extra layer for hackers to penetrate, so it just might break a Flash exploit by introducing a misdirection.

Anyone have any thoughts on this?