ransomware attack

Is Your Organization Ready to Defend Against Ransomware Attacks?

Without question, cybercrime is escalating and ransomware attacks and threats abound. Learn how to defend against ransomware, how infection can occur and how you can fight back.

Cybercrime is reaching unprecedented heights. And with the recent “WannaCry” ransomware attack, cyberthreats are back at the top of every IT department’s list of priorities and concerns. Unfortunately, it’s a trend that is unlikely to be curbed anytime soon. Cybersecurity communities have estimated that the total cost of cybercrime damage worldwide is estimated at $6 Trillion annually by the end of 2021, forcing more and more businesses to invest in cybersecurity spending on products and services to protect their business critical data from potential ransomware attacks.

Here I’ll talk more about what ransomware is, how infections can occur and how your business can be more prepared to defend against potential attacks.

What is ransomware?

Ransomware is typically defined as a subset of malware where the data on a victim’s computer becomes inaccessible and payment is demanded (usually in the form of bitcoin or other cryptocurrencies), before the data is decrypted and the victim can re-access their files.

Ransomware attacks can present themselves in a variety of forms but Microsoft Malware Protection Center explains that the two most widespread ransomware families to be reported in 2016/17 were:

  • Lock-screen ransomware
  • Encryption ransomware

Typically, lock-screen ransomware will present victims with a full-screen message which then prohibits the user from accessing their PC or files, until a payment is made. Whereas encryption ransomware will modify the data files via encryption methods so that the victim cannot open them again. In both cases, the attackers are in total control and demand large sums of money to access or unlock the files.

How does a ransomware infection occur?

On average, most ransomware infections occur through email messages carrying Trojans that attempt to install ransomware when opened by victims, or alternatively, websites that attempt to exploit vulnerabilities in the victim’s browser before infecting the system with ransomware.

Multiple high-profile incidents in 2016/17 alone, have demonstrated the destruction ransomware attacks can have on enterprise networks just as easily as on individual PCs.  For example, EternalBlue (a Windows exploit) released by the mysterious hacking group Shadow Brokers in April 2017 breached spy tools at the National Security Agency (NSA) and offered stolen data for auction, and the WannaCry strain targeted thousands of targets including the National Health Service in the UK (in total netting ~52 bitcoins or around $130,000 worth of ransom).

Not to mention many other widespread strains of ransomware including Petya, Nyetya, Goldeneye, Vault 7, Macron which have had devastating effects on countries, enterprises, election debates and individuals around the world. Attacking enterprise networks in this manner, is even becoming even more attractive because of the value of the files and data that large enterprises own means attackers can demand higher monetary values for ransom.

How to fight back

The increasing threats of ransomware attack should come as no surprise, because in reality organizations have always been under threat from malicious cyberattacks, viruses and ransomware, just more so now than ever before, and IT managers should continually be looking for ways to better protect their valuable data. Therefore, it is essential that your organization has a plan in place to defend against such attacks, minimize financial impact, reduce IT impact and maintain brand reputation.

The industry recognized recommendations suggest organizations follow the simple 3-2-1 rule and the implementation of a strong security plan. The goal of the 3-2-1 rule is to provide customers with a data protection solution that maximizes application uptime, and data availability in the event of a disaster striking.

With the proper execution of the 3-2-1 backup principles, IT managers can protect their data by:

  • Maintaining 3 copies of data (primary data and two copies)
  • Store backup copies on 2 different media types (such as tape, disk, secondary storage or cloud)
  • Keep 1 copy off-site (either on tape or in the cloud, since disasters can strike without notice, if all other forms of protection fail, you still have access to offline data!)

 

Windows 7

Windows 7 EOL timebomb identified

Latest figures reveal Microsoft is still struggling to shift people off Windows 7. Will it be the XP End of Life drama all over again?

The number of people still using Windows 7 could lead to a problem when it eventually goes out of support, with even the well-received Windows 10 failing to convince a majority of users to upgrade.

Hospitals, and the police in particular have been slow to give up Windows XP, despite it being out of support and hence vulnerable to new forms of attack.

The latest Netmarketshare figures from Net Applications reveal the picture two years on from the launch of Microsoft Windows 10.

here are the latest month on month figures:

Windows 7: 48.43 (-0.48), Windows 10: 27.99 (+0.36), Windows XP, 6.07 (-0.03), Windows 8.x: 7.42 (-0.35), Mac OS 13 Beta: 0.02 (no change), Mac OS 12 (stable): 3.59 (+0.07), Mac OS 11: 1.09 (-0.08), Mac OS (older): 1.24.

Bottom line: Windows 90.37 percent of the market. Mac has 5.94 and Linux has taken a jump to 3.37 (0.84).

The only event of note – it has been quiet, as relatively few devices are released over the summer – is that there are now the same percentage of people using Windows 8.1 as there are Windows XP – 6.07.

So how is Windows 10 is actually doing? At launch, Microsoft stated it was aiming for 2 billion machines in its first two years. The fact it hasn’t achieved that even allowing for IoT and XBox devices, as well as a host of other new form factors, is obvious, but it was a big goal in the first place.

When the first figures came out, a few days after launch, Windows 10 was already sitting at 0.39 percent, thanks to the early adopters program. A year later, it sat at 22.99, as the free upgrade offer finished.

Microsoft would have had egg on their faces, had they extended the offer, but nevertheless, progress since has been slow. Today’s 27.99 means that just a five percent shift has moved to Windows 10 since the end of the freebie.

When you consider all the devices that Windows 10 is on besides desktops, that’s a pretty unhealthy figure. The last public figure that Terry Myerson gave was 500,000 devices. That’s just not good enough, and whatever Microsoft’s notoriously oily marketing people tell you, it remains a long way from where the company would hope to be.

Microsoft has actually increased its market share overall – It was 90.37 percent for August, up from 88.74 two years ago. But it’s actually down a tiny fragment on this time last year, where it was at 90.39.

So where is all this coming from? Well we can’t look to Windows 8.x which now has less than half the users of two years ago (from 15.86 to 7.42). And XP has dropped by a similar figure (from 13.09 to 6.07).

The issue is Windows 7. People and more especially businesses are still refusing to give it up. It has lost its market share – down from 60.75 in August 2015 to 48.43 percent in August 2017. But again – it’s actually UP on this time last year, where it was at 47.25.

So Microsoft’s increase market share seems to be down to the continuing success of an eight-year old operating system that has been superseded twice. In other words, come 2020, we’re going to have the XP debacle all over again.

And it’s not just Windows. Mac OS has actually fragmented in the past two years. The number of people of Mac OS has dropped from 7.66 to 5.85. Linux on the other hand continues to bloom in its own tiny way, going from 1.68 to 3.37.

There’s no question that the last two years have seen a tremendous change in the market – not least of all, the variety of form factors and new players such as Chrome OS, which isn’t included here for logistical reasons.

But the key problem remains, if Microsoft can’t shift people off Windows 7, without annoying them in the process, then we’re setting ourselves up for another End of Life timebomb.

Good Bye, VMware vSphere Web Client

VMware has announced to deprecate the Flash-based vSphere Web Client with the next numbered release (not update release) of vSphere. The next version of vSphere will be the terminal release for which vSphere Web Client will be available.

Since vSphere web client is based on Adobe flash technology, It results in less than ideal performance as compared to HTML5 based vSphere client and also has constant update requirements. Additionally, Adobe also has recently announced plans to deprecate Flash.

vsphere web client

Currently we have two variants of the vSphere GUIs which includes the vSphere Web Client and HTML5-based vSphere Client in vSphere 6.5 to manage the operation of virtual datacenter.

With the decommissioning of windows based vSphere client, VMware also introduced the HTML5 based vSphere client with vSphere 6.5. Which provides the solid performance as compared to the vSphere web client. The vSphere Client was introduced first in the Fling, then supported with vSphere 6.5. Since its introduction, the vSphere Client has received positive responses from the vSphere community and customer base.

With the recently released vSphere 6.5 Update 1, the vSphere Client got even better and is now able to support most of the frequently performed operations. With each iteration of the vSphere Client additional improvements and functionality are being added.

By the time the vSphere Web Client is deprecated, the vSphere Client will be full featured but with significantly better responsiveness and usability.

The HTML based vSphere Client will be the primary GUI administration tool for vSphere environments starting in the next release. It is recommended that customers should start transitioning over to the HTML5 based vSphere Client as the vSphere Web Client will no longer be available after the next vSphere release. This announcement from VMware gives ample time to customers to prepare for the eventual vSphere Web Client deprecation.

The Evolving Role of the Managed Service Provider

Nearly every enterprise has at least one relationship with a managed service provider today and it’s very likely that relationship has evolved over the years. Get ready, it’s changing again and very much to the advantage of the enterprise.

Managed services has its origins in the beginning of the tech market when companies would turn to a reseller to not only integrate but manage the finished solution. Reselling begot hosting in the late 1990s as the Internet began to crossover from government system to the foundation of our lives, as it exists today. Hosters played two key roles: granting individuals and companies access to the Internet and renting server rack space so corporate applications (mostly web sites) could have a point of presence (POP) on the Internet.

This business evolved from rack hoster to rentable IT admins, who took on the tasks of managing the hardware, OS and increasingly the middleware and applications that ran on those servers. The hosting market was a lucrative and relatively well protected space until cloud computing came along. With the introduction of Software as a Service, applications could now be delivered and managed directly by the software provider themselves. Salesforce led this new market disruption in typical innovator fashion by targeting smaller firms, with lower enterprise-grade expectations and line of business budgets. By the time SaaS started penetrating the enterprise market, its multi-tenant, highly scalable deployment model and new pay-per-user business model was hard for hosters to match and the fight was on.

Public cloud platforms added to the competitive threat by extending the SaaS basics to hosted applications. Now both application outsourcing and the core business of hosting were under threat. A surface examination of these developments might lead you to conclude that the days of the managed service provider were looking pretty gloomy but that’s actually far from the case. It’s simply another evolutionary point in the business life-cycle. While the volume of traditional hosting and application outsourcing opportunities diminish as more applications shift to SaaS or cloud platforms, we aren’t making a binary shift and nor are we getting a free ride from a management and monitoring perspective. Look a little deeper and you’ll find that a large percent of corporate workloads don’t easily fit onto cloud platforms, can’t be cleanly replaced by SaaS and won’t go through such a binary change. In fact the definition of an application is shifting and, for most businesses, already have.

Take, for example, the common business process of eCommerce. Is that a single application? For most companies, absolutely not. It’s a workflow that blends together multiple applications including ERP, CRM, commerce, machine learning, mobile and web, content management and many other elements. And if your company has been around more than 10 years it’s highly likely you have some pretty customized elements in that mix. And it’s a workflow we are constantly refining to stay competitive, improve customer satisfaction with and adapt as end users shift from web-centric to device-centric. So given the changes we are seeing in applications and the shift to cloud that is taking place, what is the end result – a highly blended mix where certain elements are shifted to SaaS, others moved to cloud platforms and others that can’t make the move but must continue as part of the mix.

According to Gartner, Inc., by 2018, more than 40% of enterprises will have implemented hybrid data centers, up from 10% in 2015. Given that we need to accelerate the evolution of this blended model to keep pace both competitively and with our ever-changing customers, what’s the best use of your limited development and IT staff resources? You will pick up some bandwidth as the management of SaaS apps shifts to the SaaS provider and of the infrastructure below the elements you can shift to cloud platforms. But the integration, evolution, security and need for more agile UX improvements all remain. And whether you put your applications on hyper-scale public clouds like Azure or on more localized offerings such as those provided by most MSPs, you still have to manage the Cloud Handshake.

Looking at your task list and cross-correlating this with your IT staff bandwidth, you’ll likely draw the conclusion that managing the Cloud Handshake falls low on the priority list. And this is exactly where the managed service provider can add the most value. And exactly where their business models are evolving. As pointed out in this white paper from Hosting.com, the future of the managed service provider is in managing the blended IT environment. The reality is that your deployment portfolio is evolving to a mix of in-house, hosted, SaaS and multiple cloud platforms. And managing this mix isn’t your core competency and shouldn’t be your priority. MSPs are evolving their business models towards managing this mix so you can focus on the things that are unique to your business.

 

Links in phishing-like emails lead to tech support scam

Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites.

Anti-spam filters in Microsoft Exchange Online Protection (EOP) for Office 365 and in Outlook.com blocked the said emails because they bore characteristics of phishing emails. The said spam emails use social engineering techniques—spoofing brands, pretending to be legitimate communications, disguising malicious URLs—employed by phishers to get recipients to click suspicious links.

However, instead of pointing to phishing sites designed to steal credentials, the links lead to tech support scam websites, which use various scare tactics to trick users into calling hotlines and paying for unnecessary “technical support services” that supposedly fix contrived device, platform, or software problems.

The use of email as an infection vector adds another facet to tech support scams, which are very widespread. Every month, at least three million users of various platforms and software encounter tech support scams. However, tech support scams are not typical email threats:

  • Many of these scams start with malicious ads found in dubious web pages—mostly download locations for fake installers and pirated media—that automatically redirect visitors to tech support scam sites where potential victims are tricked into calling hotlines.
  • Some tech support scams are carried out with the help of malware like Hicurdismos, which displays a fake BSOD screen, or Monitnev, which monitors event logs and displays fake error notifications every time an application crashes.
  • Still other tech support scams use cold calls. Scammers call potential victims and pretend to be from a software company. The scammers then ask victims to install applications that give them remote access to the victim’s devices. Using remote access, the experienced scam telemarketers can misrepresent normal system output as signs of problems. The scammers then offer fake solutions and ask for payment in the form of a one-time fee or subscription to a purported support service.

The recent spam campaigns that spread links to tech support scam websites show that scammers don’t stop looking for ways to perpetrate the scam. While it is unlikely that these cybercriminals will abandon the use of malicious ads, malware, or cold calls, email lets them cast a wider net.

An alternative infection path for tech support scams

The spam emails with links to tech support scam pages look like phishing emails. They pretend to be notifications from online retailers or professional social networking sites. The suspicious links are typically hidden in harmless-looking text.

Figure 1. Sample fake Alibaba order cancellation email. The order number is a suspicious link.

Figure 2. A sample of a fake Amazon order cancellation email. Similarly, the order number is a suspicious link.

Fig 3. Sample fake LinkedIn email of a message notification. The three hyperlinks in the email all lead to the same suspicious link.

The links in the emails point to websites that serve as redirectors. In the samples we analyzed, the links pointed to the following sites, which are most likely compromised:

  • hxxp://love.5[redacted]t.com/wordpress/wp-content/themes/acoustician.php
  • hxxp://s[redacted]t.com/wp-content/themes/paten.php
  • hxxp://k[redacted]g.org/wp-content/categorize.php

Interestingly, the redirector websites contain code that diverts some visitors to pharmaceutical or dating websites.

Fig 5. Redirects to support scam site

Landing on typical support scam websites

Tech support scams sites often mimic legitimate sites. They display pop-up messages with fake warnings and customer service hotline numbers. As part of the scam, calls to these phone numbers are answered by agents who trick users into paying for fake technical support.

Fig 6. Tech support scam site with fake warning and support number

The technical support scam websites employ various social engineering techniques to compel users to call the provided hotlines. They warn about malware infection, license expiration, and system problems. Some scams sites display countdown timers to create a false sense of urgency, while others play an audio message describing the supposed problem.

Tech support scam websites are also known to use pop-up or dialog loops. A dialog loop refers to malicious code embedded in sites that causes the browser to present an infinite series of browser alerts containing falsified threatening messages. When the user dismisses an alert, the malicious code invokes another one, ad infinitum, essentially locking the browser session.

More advanced tech support scam sites use web elements to fake pop-up messages. Some of these scam sites open full screen and mimic browser windows, showing spoofed address bars.


This article was first published at microsoft.com

 

Keyboard shortcuts

Windows 10 Tip: keyboard shortcuts to help you work faster

Did you know there’s a world of keyboard shortcuts available to you with Windows 10?

You can check out the full list of keyboard shortcuts here, but here are six to help you get started working faster and smarter:

Minimize all your open windows with Windows key + M

Keyboard Shortcuts

Snap one window to exactly half of your screen with Windows key + either of the side arrow keys, and magically snap a second window side-by-side for easy multitasking.

Keyboard Shortcuts

Need one more window? Press Windows key + the “up” arrow to snap a third.

Open Cortana* in listening (voice-command) mode with Windows key + Shift + C

Keyboard Shortcuts

Open Settings with Windows Key + I

Keyboard Shortcuts

Open the first item you have pinned on the Taskbar with Windows Key + T, then use arrow keys to move between other pinned apps

Keyboard Shortcuts

Open the Action Center to view your notifications with Windows Key + A

Keyboard Shortcuts

 

Head over here for a full list of keyboard shortcuts,

 

The End of an Era – Next Steps for Adobe Flash

Earlier this week, Adobe announced that Flash will no longer be supported after 2020. Microsoft will phase out support for Adobe Flash in Microsoft Edge and Internet Explorer ahead of this date.

Flash led the way on the web for rich content, gaming, animations, and media of all kinds, and inspired many of the current web standards powering HTML5. Adobe has partnered with Microsoft, Google, Mozilla, Apple, and many others, to ensure that the open web could meet and exceed the experiences that Adobe Flash has traditionally provided. HTML5 standards, implemented across all modern browsers, provide these capabilities with improved performance, battery life, and increased security. We look forward to continuing to work with Adobe and our industry partners on enriching the open web without the need for plug-ins.

We will phase out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. This process began already for Microsoft Edge with Click-to-Run for Flash in the Windows 10 Creators Update. The process will continue in the following phases:

  • Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits. Internet Explorer will continue to allow Adobe Flash with no special permissions required during this time.
  • In mid to late 2018, we will update Microsoft Edge to require permission for Flash to be run each session. Internet Explorer will continue to allow Flash for all sites in 2018.
  • In mid to late 2019, we will disable Flash by default in both Microsoft Edge and Internet Explorer. Users will be able to re-enable Flash in both browsers. When re-enabled, Microsoft Edge will continue to require approval for Flash on a site-by-site basis.
  • By the end of 2020, we will remove the ability to run Adobe Flash in Microsoft Edge and Internet Explorer across all supported versions of Microsoft Windows. Users will no longer have any ability to enable or run Flash.

This timeline is consistent across browsers, including GoogleMozilla, and Apple. We look forward to continuing our close collaboration with Adobe, other browser vendors, and the publishing community, as we evolve the future of the web for everyone.

ransomware exploits

5 Top ransomware exploits that you should know

We used to call the Internet the “information super-highway” back in the day, when connections were slow, bulletin boards and gopher were about as techie as it got. Those days are long gone, but something of the ‘highway’ has remained, like a bad smell, one that has come back to haunt us in 2017… The highway robber in the form of ransomware exploits !

The person who went about their villainy on the trade routes and highways of the world, extorting money and valuables from unsuspecting travellers with a simple threat –– ”your money or your life” –– reinforced of course with the trademark flintlock pistol and sabre.

Today’s highway robber is a lot more sophisticated and savvy. They take far less risk and turn to the latest technology to extort you out of your money by threatening your valuables. In this case your data, your technology and most probably your computing ability.

Of course, I’m talking now about ransomware, the threat that’s been in the news almost every day for the past couple of months. The tool of choice for the modern highway robber has become headline news around the world with variants such as WannaCry and the more recent Popcorn Time. Organizations around the world have been affected by this ransomware, from the UK National Health Service, through to the Russian Postal Service in the last few weeks.

Interestingly, WannaCry leverages a previously known vulnerability in the Windows operating system, which is alleged to have been hoarded by a national security agency of the USA. In this case a vulnerability which allowed the ransomware to be especially successful in both current and older versions of Windows, such as XP and Windows 7, by using a weakness in their inbuilt SMB networking functionality. Even when out of support, there are still organisations using Windows XP and putting themselves at risk.

Luckily however an enterprising security researcher managed to find a kill switch written into some variants of WannaCry, in the form of a phone-home domain which hadn’t been registered by the malware’s author. Registering the domain seemed to give these variants of the malware the dead letter box it was looking for in order to shut down, thus halting the attack.

After intense examination of WannaCry’s tactics by the security community, we now know the infection spread within organizations by means of leveraging SMB connections. And, while patching the known vulnerability (as the patch had been out for over a month) helps sqelch WannaCry’s ability to spread, there are a broad range of ransomware sources through which you can get infected, such as:

  • Trojans – Perhaps the most common and the ransomware attack source we read the most about. Email attachments that contain malicious macro attachments are the chosen method here.
  • Removable media – Perhaps the most likely ransomware source of infection for the majority of malware in an enterprise, whether it’s ransomware or something more nefarious. Especially for those organisations that don’t lock down their USB ports. USB sticks and removable media are a very simple way to infect a PC as users generally trust those devices. A study by Google and two US universities showed that dropping USB sticks in public places was a simple and effective way to trigger human curiosity, with a full 49% of the ‘bait USBs’ being plugged into a computer by people who found them. Imagine if those had been malicious?
  • Malvertising – Malver-what-now? A portmanteau of malicious advertising. Where attackers compromise the weak infrastructure of an online ad network that serves adverts to legitimate websites. Therefore, when users view those adds, usually on well-known news websites, they can be used to trick browsers into downloading malware through the page display ads. Exploit kits such as Angler and Neutrino are often used as the initial dropper of the malware, which often then allows cyber criminals complete control of the infected endpoint. Ransomware is just one of the common outcomes of these watering-hole or drive-by attacks.
  • Social media and SMS – The prevalence of shortened links used on social media platforms and in SMS text messages gives attackers a superb mechanism to deliver ransomware and malware. Users rarely, if ever, check the destination of shortened links in social media, SMS or even email and attackers know this. Security solutions that ‘link-follow’ are increasing in popularity, but not fast enough. Ransomware delivered through shortened links is also often JavaScript based and requires little action on the users’ part, other than to click the link.
  • Ransomware-as-a-Service – RaaS? Yes, it does exist, as one of the many ‘Crime-as-a-Service’ networks. (Yes, those exist too). RaaS allows criminals of any variety to use ransomware exploits and become instant cyber criminals, to the extent we’re seeing a drop off in classic crime like burglary, as RaaS is far a less risky ransomware source for them. RaaS and CraaS have given rise to vast affiliate networks too, where ransomware is easy to deploy and manage for almost anyone and where the earning potential is significant. I use this example to demonstrate the sophistication and motivation of the cybercriminals behind ransomware. Ignore them at your peril.

Of course, we’re used to thinking of ransomware as an email-specific or Trojan-based attack and that’s certainly the most common route it takes, but we should note that once ransomware makes its way into your business, ransomware creators will attempt to take as many routes possible to ensure as widespread an infection as is possible.

What all of these attacks and the breadth of ransomware sources show us is that it’s a live and hostile environment on the information super-highway and that for all the good we do, there are still people intent on exploiting, stealing, violating and pillaging our assets. Don’t be under any illusion they’re not motivated either; ransomware is a great money earner for them so don’t expect the attacks to die down anytime soon. Technologically not doing your best is not an option either. Sitting back hoping Windows XP or 7 will “struggle on for a little longer” or that those patches you didn’t deploy don’t matter is not a sensible strategy. Remember there are books written about hope not being a strategy, so don’t fall into that trap.

Patch your stuff, back up your valuables and keep an eye out for the highway robbers and those ransomware exploits.

Stay safe out there.

Update Adobe Flash Player NOW

One of the favourite pieces of software for malicious hackers to target on users’ computers is Adobe Flash Player.
Why? Well, there are a few reasons.

Firstly, Adobe Flash Player is on an awful lot of computers. Many users may have installed it long ago in order to access Flash-based media content online, such as videos. Malicious hackers can rely upon a large number of people having Flash installed, making it a target for attack.

Secondly, the version of Adobe Flash Player installed on your computer may be out-of-date. Users may have failed to configure updates properly, or chosen to ignore reminders to update the software promptly when a new security update is released. There’s only one thing more attractive to a malicious hacker than widely-used ubiquitous software, and that’s widely-used ubiquitous software that hasn’t been kept updated with the latest patches.

It doesn’t matter if a hacker doesn’t have a zero-day exploit to throw at your Adobe Flash Player if you haven’t been bothering to keep it protected against known vulnerabilities.

Thirdly, there has been a long history of malicious hackers finding critical security holes in Adobe Flash Player, and building their attacks into exploit kits for anyone to deploy. Flash is closed, proprietary software controlled by Adobe and it has been plagued with software vulnerabilities and serious flaws over many years. Quite why Flash has been targeted so often is open to some debate, but the mere fact that it has suggests that it will continue to be for some time to come.

The upshot of this is that when Adobe releases new security patches for Adobe Flash Player, it would be very sensible indeed for its users to sit up and take notice.

Earlier today Adobe issued a security advisory detailing updates it has released for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS.

The updates are said to address critical vulnerabilities that could allow an attacker to penetrate a vulnerable system, allowing a remote attacker to execute code on a victim’s computer and take control over the device.

Adobe recommends that users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player version 26.0.0.137 as soon as possible. You can do this either by visiting the official Adobe Flash Player download page, or ensuring that Flash’s global settings are set to “install updates automatically when available”.

Even with that option enabled you may be disappointed to find that security updates are not immediately available to you, and – rather than wait – prefer to manually force an update instead.

Things are a little simpler for those who rely upon the Adobe Flash Player code integrated with the Google Chrome and Microsoft Edge browsers, as they should be automatically updated to the latest version as the browser itself updates.

The best approach of all, of course, if you want to permanently secure your computers and devices against Flash flaws is the nuclear option: uninstall Flash from your computer. Or – if you just need Adobe Flash for very specific websites or bespoke applications – have Flash installed on an alternative browser rather than the one you regularly use to surf the web.

If you’re not quite ready to take the step of entirely uninstalling Flash, then you should at the very least consider enabling “Click to Play”, which stops Flash elements from being rendered in your browser unless you give specific permission.

malware attack

Microsoft networking protocol at the core of recent global malware attacks

The company is going to kill off SMB1 at long last, but you shouldn’t wait to disable it

Another day, another global malware attack made possible by a Microsoft security hole. Once again, attackers used hacking tools developed by the U.S. National Security Agency (NSA), which were stolen and subsequently released by a group called Shadow Brokers.

This time around, though, the late-June attack apparently wasn’t ransomware with which the attackers hoped to make a killing. Instead, as The New York Times noted, it was likely an attack by Russia on Ukraine on the eve of a holiday celebrating the Ukrainian constitution, which was written after Ukraine broke away from Russia. According to the Times, the attack froze “computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.” After that, it spread worldwide. The rest of the world was nothing more than collateral damage.

The NSA bears a lot of responsibility for this latest attack because it develops these kinds of hacking tools and frequently doesn’t tell software makers about the security holes they exploit. Microsoft is one of many companies that have beseeched the NSA not to hoard these kinds of exploits. Brad Smith, Microsoft’s president and chief legal officer, has called on the NSA “to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits” and stop stockpiling them.

Smith is right. But once again, a global malware attack exploited a serious insecurity in Windows, this time a nearly 30-year-old networking protocol called SMB1 that even Microsoft acknowledges should no longer be used by anyone, anywhere, at any time.

First, a history lesson. The original SMB (Server Message Block) networking protocol was designed at IBM for DOS-based computers nearly 30 years ago. Microsoft combined it with its LAN Manager networking product around 1990, added features to the protocol in its Windows for Workgroups product in 1992, and continued using it in later versions of Windows, up to and including Windows 10.

Clearly, a networking protocol designed originally for DOS-based computers, then combined with a nearly 30-year-old networking system, is not suitable for security in an internet-connected world. And to its credit, Microsoft recognizes that and is planning to kill it. But a lot of software and enterprises use the protocol, and so Microsoft hasn’t yet been able to do it in.

Microsoft engineers hate the protocol. Consider what Ned Pyle, principal program manager in the Microsoft Windows Server High Availability and Storage group, had to say about it in a prescient blog in September 2016:

“Stop using SMB1. Stop using SMB1. STOP USING SMB1!… The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes.”

Back in 2013, Microsoft announced it would eventually kill SMB1, saying the protocol was “planned for potential removal in subsequent releases.” That time is almost here. This fall, when the Windows 10 Fall Creators Update is released, the protocol will finally be removed from Windows.

But enterprises shouldn’t wait for then. They should remove the protocol right away, just as Pyle recommends. Before doing that, they would do well to read the SMB Security Best Practices document, put out by US-CERT, which is run by the U.S. Department of Homeland Security. It suggests disabling SMB1, and then “blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.”

As for how to disable SMB1, turn to a useful Microsoft article, “How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.” Note that Microsoft recommends keeping SMB2 and SMB3 active, and only deactivating them for temporary troubleshooting.

An even better source for killing SMB1 is the TechNet article “Disable SMB v1 in Managed Environments with Group Policy.” It is the most up-to-date article available and more comprehensive than others.

Turning off SMB1 will do more than protect your enterprise against next global malware infection. It will also help keep your company safer against hackers who specifically target it and not the entire world.


This article was reposted from : www.computerworld.com