Security

CVE-2018-0886 – CredSSP Remote Code Execution Vulnerability

Description

A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker could exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process.

The vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016.

Download patches here

To address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

“Mitigation consists of installing the update on all client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible,” Microsoft says.

I have noticed that this patch has been disruptive to system owners who use remote desktop to access and manage servers.  Installing the patch on a client host w/o having it installed on the remote endpoint will end in an error preventing you from accessing them.

 

Its best to upgrade endpoints (servers) before client systems

Ref: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

 

Happy #NationalPasswordDay!

Today is NationalPasswordDay 2018 – May 3, 2018

The following is a list of good practices designed to keep individuals and their data safe online.

Email Security

  • Avoid opening emails, downloading attachments, or clicking on suspicious links sent from unknown or untrusted sources.
  • Verify unexpected attachments or links from known senders by contacting them via another method of communication.
  • Avoid providing your email address, phone number, or other personal information to unknown sources.
  • Avoid providing sensitive information to anyone via email. If you must, be sure to encrypt it before sending.
  • Be skeptical of emails written with a sense of urgency and requesting an immediate response, such as those stating your account will be closed if you do not click on an embedded link or provide the sender with sensitive information.
  • Beware of emails with poor design, grammar, or spelling.
  • Ensure an email’s “sender name” corresponds to the correct email address to identify common email spoofing tactics.
  • Never open spam emails; report them as spam, and/or delete them. Do not respond to spam emails or use included “Unsubscribe” links as this only confirms to the spammer that your email address is active and may exacerbate the problem

Passwords and Multi-Factor Authentication

Use strong passwords on all of your accounts.

  • Long, complex passwords make you less susceptible to brute-force attacks.
  • Use a combination of upper and lowercase letters, numbers, and special characters.
  • Avoid easy-to-guess elements like pets’ names, children’s names, birthdays, etc.

To reduce the risk of account compromise, account holders should:

  • Avoid using the same password across multiple accounts or platforms.
  • Never share their password with anyone, leave passwords out in the open for others to read, or store them in an unsecured, plaintext file on computers or mobile devices.
  • Consider using long acronyms or passphrases to increase the length of your password.
  • Enable two-factor authentication (2FA) or multi-factor authentication (MFA) on all accounts that offer it. This will help prevent unauthorized access in the event of a credential compromise.

On the Web

  • Ensure any websites requesting the insertion of account credentials and those used to conduct transactions online are encrypted with a valid digital certificate to ensure your data is secure. These website addresses will have a green padlock displayed in the URL field and will begin with https.
  • Avoid saving account information, such as passwords or credit card information, in web browsers or browser extensions.
  • Avoid using public computers and public Wi-Fi connections to log into accounts and access sensitive information.
  • Consider using ad-blocking, script-blocking, and coin-blocking browser extensions, to protect systems against malicious advertising attacks and scripts designed to launch malware or mine cryptocurrency. Example: PiHole
  • Sign out of accounts and shut down computers and mobile devices when not in use. Program systems and devices to automatically lock the active session after a set period of inactivity.

Device Security

  • Keep all hardware and software updated with the latest, patched version.
  • Run reputable antivirus or anti-malware applications on all devices and keep them updated with the latest version.
  • Create multiple, redundant backups of all critical and sensitive data and keep them stored off the network in the event of a ransomware infection or other destructive malware incident. This will allow you to recover lost files if needed.

For more info:  https://www.consumer.ftc.gov/blog/2018/03/its-national-password-day

 

vSphere Integrated Containers

vSphere Integrated Containers provides critical enterprise container infrastructure to help IT Operating teams run both traditional and containerized applications providing a number of benefits:

  • security
  • isolation
  • management
  • speed
  • agility

I am looking forward to getting my hands on this and expanding my knowledge on how vSphere Integrated Containers (VIC) works in the real world. vSphere Integrated Containers includes the following three major components:

  • vSphere Integrated Container EngineDocker Remote API-compatible engine deeply integrated into vSphere for instantiating container images that are run as VMs
  • Container Management PortalPortal for apps teams to manage the container repositories, images, hosts, and running container instances
  • Container RegistrySecurely stores container images with built-in RBAC and image replication.

For now its research time; later I get to have some hands-on fun. Here are some interesting links:

Download a copy of your Facebook data

Recently we have all have been reading about Facebook’s breach of trust. Even Mark Zuckerberg, admitted that Facebook has made mistakes.

The issue: Cambridge Analytica, a U.K.-based political data-analytics firm hired by the 2016 Trump campaign, got its hands on data for 50 million Facebook users — without the users’ knowledge or consent. At this point, it’s unclear whether the uproar over Cambridge Analytica will lead to new legislation or government regulations but in my circles, I have noticed a significant exodus of companies and users.

Before you make the jump to delete your account.  Download a copy of your Facebook data.

The following steps should help:

  • Go to Facebook.com > Settings > General Account Settings
  • Click “Download a copy of your Facebook data.”
  • Click “Download Archive.”
  • It takes a short period of time for Facebook to generate an archive of your data.
    You will be alerted when the archive is ready.
  • Once notified of its completion, click “Download Archive”, and a zip file will download to your computer.
  • Browse through that archive by opening each file inside the folder.

In the archive, you’ll find your entire history on facebook including messages. In doing so, it’s clear how much Facebook knows about you.

 

Examples of what you will find

  • The index also contains information about every Event invite you got, every Poke and Message you’ve sent or received (even if you are not Facebook friends with the person, or if they are no longer on Facebook), any Facebook applications you installed (even if you don’t use them anymore), and any Facebook “Places” (locations) you may have created.
  • Profile section, you will find some basic information about your profile including any profile names you have had in the past, all your contact info, any pages and interests you liked, groups you joined, and any Facebook pages you are a page administrator for.
  • The Contact Info section contains all the contacts on your mobile phone.
  • The Timeline section contains all your status updates and posts from friends on your timeline. The Photos and Videos sections contain photos and videos you posted; the former also contains code about your Facial Recognition info.
  • The Friends section contains a list of all your Facebook friends along with the date you become friends. It also contains a list of friends you unfriended and when, friend requests you declined, a list of friend requests you sent that are pending being accepted, a list of people who “Follow” you by clicking the follow button on your profile, and anyone you are following.
  • There’s also a Security section tracking IP addresses, devices and browsers you logged in from with dates and timestamps.
  • The Ads section contains a list of Ad Topics you are being targeted for based on interests gleaned from Facebook pages you liked. There’s also a list of the recent ads you clicked on and any advertisers that have your contact information. You can find (and remove) additional ads and ad topics you are being targeted for by visiting: https://www.facebook.com/ads/preferences/.

 

Important: Update Your Mozilla Web Browser to Firefox 58.0.1

Mozilla has released an important update for its Firefox web browser to patch a critical vulnerability that could allow remote attackers to execute malicious code on computers running an affected version of the browser.

Affected web browser versions include Firefox 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The vulnerability has been addressed in Firefox 58.0.1

Security fix

When using certain non-default security policies on Windows (for example with Windows Defender Exploit Protection or Webroot security products), Firefox 58.0 would fail to load pages (bug 1433065).

Reference link to 58.0 release notes

Known Issues of Security fix

  • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions.
  • Users running certain screen readers may experience performance issues and are advised to use Firefox ESR until performance issues are resolved in an upcoming future release.

 

According to a security advisory published by Cisco, Firefox 58.0.1 addresses an ‘arbitrary code execution’ flaw that originates due to ‘insufficient sanitization’ of HTML fragments in chrome-privileged documents (browser UI).

 

Hack Details:

Hackers could exploit this vulnerability (CVE-2018-5124) to run arbitrary code on the victim’s computer just by tricking them into accessing a link or ‘opening a file that submits malicious input to the affected software.’

The advisory states.

“A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely,”

This could allow an attacker to install programs, create new accounts with full user rights, and view, change or delete data. However, if the application has been configured to have limited rights the impact is less on the system itself and should only impact the current session logged in.