Remote Desktop Services Remote Code Execution Vulnerability Is Found (CVE-2019-0708)

Microsoft has released a fix for a critical Remote Code Execution vulnerability (CVE-2019-0708) in remote desktop services that affects older versions of windows used by many organizations worldwide, most notably in the healthcare and finance sectors, but also others as well.

As this vulnerability is placed at the pre-authentication stage and does not require any user interaction, it would allow an attacker to execute malicious code on the victim’s system. According to Microsoft, in order to exploit this vulnerability, an attacker would have to send a specially tailored request to the target systems’ Remote Desktop Service via RDP

To clarify the potential exploitation of this vulnerability, it’s suspected to show similar methods used by the WannaCry attack in 2017 that caused catastrophic disruption and sabotage to thousands of organizations across all industries worldwide.

What is Affected?

Those using out-of-support systems like Windows 2003, 2007, Windows Server 2008 and Windows XP are at risk from this vulnerability.

Those running Windows 8 and Windows 10 are not affected by this vulnerability due to these later versions incorporating more security updates.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Ramadan, 2019

Ramadan commemorates when the sacred Quran was revealed to Muhammad.  At the spotting of the crescent moon, Muslim families and communities will honor this revelation by beginning a month of inward reflection, spiritual renewal, and prayer.

During Ramadan, Muslims fast from dawn to dusk, recite passages from the Quran, and perform benevolent acts of charity and good will toward others.  By doing so, they develop a renewed sense of purpose in their own spiritual journey, deepening their appreciation for God’s grace and mercy.

Throughout this month, we all have an opportunity to reflect on the blessings we have been given and to work toward greater fellowship with one another.  Together, in the spirit of Ramadan, we can achieve a more harmonious and respectful society.

Oracle Java, requiring Commercial license

Using Java for your projects, and testing? You may have gone and updated recently and noticed the updated license terms.

On Windows
On MacOS

The new license permits certain uses, such as personal use and development use, at no cost. Those using this in the workplace, not so much.

Oracle is encouraging those downloading java from their site to read the updated FAQ.

If you are an organization used to getting Oracle Java SE binaries at no cost, you can simply continue doing so with Oracle’s OpenJDK releases available at jdk.java.net. If you are used to getting Oracle Java SE binaries at no cost as a personal user or for development use, then you can continue to get Oracle Java SE releases through java.com (personal users) and the Oracle Technology Network (“OTN”) (developers). Those wishing to use the Oracle JDK or Oracle JRE for other uses will require a Java SE Subscription

Is Java still free?

Oracle stewards the OpenJDK open source community and provides the latest stability, performance and security updates to the latest release. This includes patch updates, scheduled over a year in advance; additional updates when required; and two feature updates (which also include critical patch updates) each year under the new release cadence

What about updates?

You will continue to receive updates as before until at least December 2020. The auto-update mechanism will ask you to confirm that you understand and accept the new license before updating. 

What is personal use?

Personal use is using Java on a desktop or laptop computer to do things such as to play games or run other personal applications. If you are using Java on a desktop or laptop computer as part of any business operations, that is not personal use. For example, you could use a Java productivity application to do your own homework or your personal taxes, but you could not use it to do your business accounting. 

What if Java comes with software I installed?

Your application vendor may have an ISV agreement with Oracle to provide you with Java updates to run the application vendor’s product. If this is the case, you will not need a separate license from Oracle for Java running on the application. Please contact your application vendor to determine whether your application vendor is authorized to distribute Java to you with their application.

How to prepare?

If you are an existing commercial Java SE user, you should co­­­nduct an internal assessment of your current Java deployment and the commercial features you are using to:

  • Ensure you are compliant and properly licensed based on the number of desktops or servers where Java is deployed.
  • Determine whether switching to the new subscription model would be more cost-effective based on your current annual support fees with Java.

If you anticipate your requirements for commercial use of Java to grow, you may want to consider switching to the subscription model. If you decide to switch, you can use the processor (CPU) or NUP metric to determine whether the server or desktop-based subscription is best for your environment based on your licensing requirements.

Don’t think you’re a commercial user? Conducting an internal assessment may still be worth your time since organizations running the free version of Java SE risk being out-of-compliance which could result in significant fees if audited.

To be on the safe side, have your legal team confirm that Oracle’s Java licensing policies allow your organization to use Java SE without requiring the purchase of commercial licenses.

Not Sure what to do!

Step 1: Uninstall Oracle Java

Step 2: Visit https://openjdk.java.net/
Step 3: Continue working as you did before

5 Ways to Know if You Are a Data Security Risk | By John Kogan

Here are some way to know if you are putting your client’s data at risk.

1. YOU ARE QUICK TO CLICK ON HYPERLINKS. Avoid clicking on links in emails, especially if they are from an unknown sender or sent without context. A good way to verify links before clicking is to hover your mouse over them. Do they lead where they purport to? Check carefully for tricky typos like “arnazon.com.” If you do click on a link, never enter sensitive information into the window that opens.

2. YOU WANT TO BE EXTRA HELPFUL BY EMAIL AND ON THE PHONE. Say you get an email from a partner of your firm: they are stranded abroad, have lost their wallet, and need your help immediately. It’s natural that your first instinct would be to help, but think twice. Even if the email does seem to be from someone you know, be on guard if it seems out of character. Watch out for odd spelling and grammar, threats of negative consequences, and requests for fund transfers. If it seems weird, it probably is. By extension, be careful when someone calls you requesting information about you or a colleague.2 These kinds of scams are called social engineering, and they are remarkably effective.

3. YOU LOSE YOUR GADGETS AND DON’T DISPOSE OF THEM PROPERLY. Are you the type to leave your cellphone and credit card behind at restaurants, or forget your laptop in a cab? I can relate. Aside from causing headaches, such slip-ups can also lead to major breaches if your lost items end up in ill-meaning hands. To avoid worst case scenarios, make sure everything is encrypted and, at the least, password-protected. Your phone should have a pin or a forensic safeguard, such as fingerprint scanning or facial recognition. Your laptop should be encrypted with a solution such as Microsoft Windows’s BitLocker.

4. YOU USE THE SAME PASSWORD FOR EVERYTHING. I know, it’s become so difficult to remember all our passwords. Still, do try to avoid repeating them, and definitely, do not write them on a post-it note that you stick to your computer monitor. If one of your accounts is breached, the rest of your accounts with the same password will be at risk as well. We recommend using a password manager such as Roboform, which creates complex and unique passwords and remembers them for you. Browsers such as Google Chrome are also starting to offer complex password management now. Also, consider multifactor authentication. If someone does get a hold of your password and tries to enter it on an unfamiliar computer, they will not be able to log in without a second verifying step, such as a prompt on your cell phone.

5. YOU HAVE LOCAL ADMINISTRATOR RIGHTS ON YOUR COMPUTER. This is common at small firms. Having administrator rights means that you are able to make big changes on your work computer, such as installing new programs. While it may be convenient, it is also dangerous, as it makes it easy for malware and hackers to access your firm’s core systems. Your IT department or provider should be the only one with administrator privileges.

Cybersecurity: New NJ Privacy Law

You may have started to read about changes that may directly affect your organization. In response to Europe’s new GDPR law.

In response to Europe’s new GDPR law, states have begun to draft and implement additional privacy laws and regulations. My home state of New Jersey is now attempting to lead the charge forward in seeing these new policies are in place.

We all know that security of credentials is critical to preventing data breaches, but now we have arrived at a point of what else defines “personal information”. States are not considering passwords and other credentials to be labeled personal information.

“The measure closest to becoming law, S-52, would force companies to disclose data breaches involving an expanded definition of “personal information.” The bipartisan bill was approved unanimously in the Legislature and now awaits a signature or veto by Governor Phil Murphy.

Current state law mandates that companies tell customers when their driver’s license numbers, Social Security numbers, account numbers or credit or debit card numbers have been compromised. The bill would expand that list to include user names, email addresses, and passwords or security questions and answers that could be used to gain access to an online account.”

For more info:

SENATE, No. 52 – STATE OF NEW JERSEY – 218th LEGISLATURE
https://www.njleg.state.nj.us/2018/Bills/S0500/52_R1.HTM

NJ Releases Annual Statistics on Cyber Breaches – https://www.nj.gov/oag/newsreleases18/pr20181023b.html

Americans and Cybersecurity – http://www.pewinternet.org/2017/01/26/americans-and-cybersecurity/

NJ’s APP News – https://www.app.com/story/news/new-jersey/2019/03/18/nj-data-breaches-notification-cybersecurity-online-privacy-legislation/3013418002/