Dell recently notified Tier1net of a security vulnerability within its Dell Foundation Services that run on Dell PCs and laptops.  This could allow for a man in the middle attack to decrypt sensitive data transmitted from a PC or laptop running the Dell Foundation Services software.

As part of Tier1Net’s standard pre-configuration process, the Dell Foundation Services are removed by default so Tier1net customer’s risk of exposure should be minimal.  For the few client machines which have still have the software installed, Tier1Net will be running a tool to remove the vulnerability.

Dell has issued a statement apologizing for the oversight and will not be installing this certificate on any future machines.

For more on Dell’s statement, read below:

“Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system.  The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process. We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.”

Read more here: http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate

Microsoft recently deployed a security patch which has unexpected side effects for Outlook users.  Patch KB3097877, first deployed on Tuesday November 10, 2015, inadvertently causes Microsoft Outlook to crash upon launch or when opening/responding to email.   This symptom has been observed in Outloook 2010 and 2013, on machines running Windows 7, Windows 8, and Windows 8.1.

Tier1Net has already updated its automated patch management policy to scan for, and remove, Patch KB3097877 on all systems.

If you are experiencing any Outlook issues now however, please call our office immediately and we will expedite the patch removal on your workstation.

If you would prefer to remove the patch yourself, please following these instructions:

  1. Click Start and navigate to Control Panel > Uninstall a Program.
  2. Select “Installed Updates” and enter KB3097877 in the Search Field.
  3. If the update is found, select it and click Uninstall.
  4. Reboot the PC when prompted.

For further reading, please see below:

http://www.infoworld.com/article/3004441/microsoft-windows/microsoft-surreptitiously-reissues-botched-patch-kb-3097877-for-windows-7.html

http://www.theregister.co.uk/2015/11/11/patch_tuesday_downloads_buggy_ms_patch/

http://www.winbeta.org/news/microsofts-recent-windows-10-security-patches-are-causing-some-users-headaches

 

 

A zero day vulnerability has been discovered in Adobe’s Flash Player which, if exploited, could lead to code execution and potentially allow an attacker to take control of an affected system.

This morning Adobe released a patch for this vulnerability.
To ensure that your workstations and servers are protected from this vulnerability, Tier1net will be deploying the security patch to your network via its Managed Workplace automated patching tools.

For more information on this vulnerability, please visit: https://helpx.adobe.com/security/products/flash-player/apsa15-05.html

Google Chrome has discontinued its remaining support for Java, as of September 2015.

Tier1Net clients who are still using Google Chrome to remotely access their PCs via an SSLVPN bookmark may find they are unable to connect. 

Users experiencing issues with Google Chrome, related to remote connections or other Java based applications, are now recommended to take the following actions:

1. Switch to a Java supported web browser, such as Internet Explorer 11 or Mozilla Firefox

2. Contact Tier1net to determine if your organization’s SSLVPN appliance is compatible with Google Chrome

 

For more information, please read:

http://www.tier1net.com/google-chrome-ceases-support-for-java/

http://blog.chromium.org/2014/11/the-final-countdown-for-npapi.html

Attention McAfee Email Protection Clients:

McAfee has released the following service alert:

“A network issue in North America has impacted Web Protection and Email Protection traffic  for some customers.  We are in the process of enacting our emergency failover processes to try and restore service as soon as possible.

Web Protection customers may experience issues connecting to the proxy service and Email Protection customers may see delays in both inbound and outbound mail processing.

There may also be ancillary services that see degraded performance as well such as Quarantine release, ClickProtect, Control Console access, Message Continuity Unspool, and Archiving ingest.”

For more information, please see https://support.mcafeesaas.com/mcafee/_cs/BusinessDisplay.aspx?sSessionID=&did=1

Tier1Net has received increased reports of legitimate emails being delayed with the senders receiving a temporary failure message of  “451 Exceeding Connection Limit: RBLDNSD.”

Tier1Net has traced the issue to a new Spam Flood Prevention policy recently enabled by McAfee.  This new policy was designed to reduce the impact of certain spam campaigns characterized by unusual spikes in traffic over short periods of time, by withholding delivery until traffic returns to a normal threshold.

However, Tier1Net has observed a high volume of “false positive” delays, wherein McAfee identifies legitimate senders as spam campaigns.

As a result, Tier1Net has disabled the McAfee Spam Flood Prevention feature for all of its McAfee Email Protection customers.

For more information, please visit https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=16814425079KXWEWWRBBBBIZKVKUXMZPPKRORQWW&aid=271042

As of 4/14/2015, the Google Chrome browser version 42.xx and above will no longer directly support the Java platform.

Java relies on NPAPI, an API first introduced over twenty years ago.   Google feels that NPAPI’s “90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity.”   For these reasons, Google Chrome no longer supports NPAPI, which means the Java Platform will no longer work in Google Chrome.

Users experiencing issues with Java in Chrome may follow either of these workarounds:

1. Switch to a NPAPI supported web browser, such as Internet Explorer 11 or Mozilla Firefox.

2. Manually re-enable NPAPI in Google Chrome using the steps below.  (Note: This workaround will be removed by Chrome in September 2015 or earlier.)

  1. Paste the following link into your Google Chrome browser: chrome://flags/#enable-npapi
  2. Click “Enable” under NPAPI.  (If you see the word “Disable,” then it is already enabled.)
  3. After enabling NPAPI, click the “Relaunch Now” button at the bottom of the page or the changes will not take effect.

 

http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html

 

A cyberattack against JPMorgan Chase last summer, which affected 76 million households, could have been prevented by a simple security fix, experts say.

Had JPMorgan Chase implemented TWO-FACTOR AUTHENTICATION on all of their servers, the breach would likely not have occurred.  From Dealbook at the New York Times:

“Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion.”

Two-factor authentication adds a second layer of authentication to login procedures, beyond the username/password combination.  This second layer of authentication makes it increasingly difficult for hackers to remotely access your data.

Two-factor authentication can be established many ways, but the basic principle is to combine 1. SOMETHING YOU KNOW (like a username/password combination) with 2. SOMETHING YOU HAVE (like a key fob, mobile phone, or biometric fingerprint.)

Tier1Net recommends implementing two-factor authentication on all publicly accessible remote access portals.  The Sonicwall SRA appliance leveraged by many Tier1net customers has this capability bundled into its standard operating system.  This feature known as ONE-TIME PASSWORD or OTP works by challenging an authenticated user with a request for a second password.  The second password is sent from the device to the user via text message.  Upon each subsequent login, the user will receive a different one-time password for access.

Recently Tier1Net has been implementing all new Sonicwall SRAs with this secure configuration by default, and strongly recommends enabling it for all production appliances currently configured for single factor authentication.

Thanks and Happy Holidays!

Tier1Net

 

Read More: http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/

 

Countdown to Windows Server 2003 End of Support Date

The deadline for upgrading Windows 2003 Servers is fast approaching.

In July of 2015, Microsoft will be discontinuing support for Windows 2003 Operating Systems.

After that time, servers running Windows 2003 will no longer receive critical security updates and patches.

The US Department of Homeland Security has released a statement urging users to upgrade their systems prior to the End-of-Support date:

“Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.”

 

Tier1Net has been reaching out to individual clients who are still using Windows 2003 Operating Systems in their environments to discuss migration plans.

If you have questions about the Windows 2003 Server End-of-Support or migration process, please contact us.

 

Further Reading:

http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/

https://www.us-cert.gov/ncas/alerts/TA14-310A

The POODLE vulnerability, or “Padding Oracle On Downgraded Legacy Encryption”, is a new security threat found within existing, though outdated, encryption technology.

This vulnerability is not as threatening as Heartbleed or Shellshock which could both be exploited via direct attack vectors. The POODLE vulnerability requires a man in the middle attack vector in order to be exploited.

Unfortunately this vulnerability does not have a specific solution or patch but rather multiple methods of reducing risk to exposure.  Experts at Google, Microsoft, Mozilla, and others, have all posted possible methods to mitigate against the POODLE vulnerability.

Tier1Net is actively following all POODLE developments and will release a more detailed notice with information regarding the vulnerability and steps that can be taken to reduce exposure.

This vulnerability is not as threatening as Heartbleed or Shellshock

POODLE exposes a vulnerability in an outdated – but still used – web encryption technology SSL 3.0.  Modern web browsers are designed to prefer the newer TLS encryption protocol when accessing a service secured via SSL.  But most browsers will still accommodate SSL 3.0 traffic, if the host or client demands it.  SSL 3.0 traffic, however, exposes a unique vulnerability for attackers to decrypt data sent between the client and server.

The conditions that are required for the attack to be applicable are hard to obtain.

It would not be easy to exploit this vulnerability however.  “The conditions that are required for the attack to be applicable are hard to obtain.” said Itsik Mantin, director of security research at Imperva. “In particular, the attacker needs to become a man-in-the-middle between the attacked client and server, and to generate, block and modify client messages to the server and vice versa.”  An attacker could then theoretically force the host/client connection to “fallback” to SSL 3.0, where the attacker could then potentially access data.  An attack such as this would most likely occur on an unsecured public network, such as a Wi-Fi network at an airport.

In order to safeguard against POODLE, SSL 3.0 fallback must be blocked on all levels.  Due to the scope and complexity of possible SSL 3.0 usage, a permanent blocking solution is not yet agreed upon.  Blocking SSL 3.0 prematurely could break many existing websites: potentially blocking users from accessing a client’s own site, and also blocking employee’s from accessing business critical sites.

Tier1Net is actively following all recommendations and will keep its clients apprised of new developments.

 

https://www.openssl.org/news/secadv_20141015.txt

https://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844

http://www.pcworld.com/article/2834015/security-experts-warn-of-poodle-attack-against-ssl-30.html