A new security vulnerability has been identified with the BASH shell used by Mac OS X, Unix and Linux.  A patch has already been released for this vulnerability.

Tier1Net does not employ Mac OS X/Linux/Unix within its network infrastructure.  However, certain nodes which incorporate Linux components may be impacted.  Tier1net is working with its vendors to determine if these nodes are vulnerable.  If any node is found to be vulnerable Tier1net will take immediate action to apply the appropriate patches to resolve the vulnerability.  As an added precaution Tier1net has verified no attack vector is available to any potentially impacted node.

Also Tier1net is currently evaluating the exposure of this security threat with regards to its managed services clients.

Based on current information, there is no known exposure to these clients.

Should new information be released to suggest otherwise, Tier1Net will notify all affected clients and take appropriate measures.

UPDATE: (9/26/14)

Tier1Net has spent the last day collecting data regarding this vulnerability, and waiting on clarification from vendors as to their exposure. It has been determined that Tier1net’s network infrastructure is not impacted by this vulnerability.
Furthermore, Tier1net has evaluated the risk to its Managed Service customers and determined little to no exposure within those networks. To those customers running Mac OS X at home or at work, Apple has stated the operating system is “safe by default,” and only vulnerable if a user has intentionally configured advanced Unix settings on their Mac device. For more information regarding the Mac OS X vulnerability please visit http://www.cnet.com/news/vast-majority-of-os-x-users-safe-from-bash-shellshock-bug-apple-says/ or http://www.apple.com

 

 

 

 

 

 

To Our Clients:

In a collaborative effort to enhance cyber security, Microsoft and Google recently announced their intention to cease support for certain SSL certificates within their Internet Explorer and Chrome web browsers.

Starting as early as September 26, 2014, Google Chrome will place a visual alert icon alongside certain previously trusted web addresses.  These visual icons will progress in phases over six months, as a means to alert visitors to potential security issues with a website.  Websites affected will be those which use SSL Certificates containing SHA-1 algorithm valid past 01/01/2016.  Microsoft will not be instituting any browser changes till later in 2016/2017.

To avoid the Google Chrome security icon from appearing our your site, Tier1Net will be re-issuing “Chrome Supported” SSL Certificates for all at-risk sites over the next few weeks.

Tier1Net will be contacting the owners of all at-risk sites to discuss the next steps for certificate re-issuance.

Please continue reading below for more information.

 

SSL certificate encryption, depicted by “https:” in a browser,  is what authenticates a website as secure and inimitable.  A theoretical breach in that encryption would allow another site to “copy” the https site, and potentially capture the secure traffic therein.   Today, there is little-to-no risk of a breach occurring in SSL encryption.   In future years however, technological advancements may increase the risk of SSL encryption breaches.  For that reason, Google is motivating certificate owners to upgrade their SSL encryption to the more robust SHA-2 algorithm.

To motivate certificate owners, starting this month, Google Chrome web browsers will display a warning icon next to any sites using SHA-1 certificatesThese warning icons will only appear on SHA-1 sites whose certificates are valid past 01/01/2016.  These visual warnings will progress over the next  few months from “secure, but with errors” to “neutral” to “not secure”:

To avoid these security warning icons from appearing on your site, Tier1Net will be re-issuing SSL Certificates for all at-risk sites.  The re-issued SSL Certificates will have the latest SHA-2 algorithm and will be “Chrome Supported.”

Tier1Net will be contacting all owners of at-risk sites to discuss next steps.

Please visit Google’s announcement to learn more.

Thank you.

Tier1Net

 

 

Dell SonicWALL has identified multiple LDAP authentication protocol vulnerabilities exposed when SonicOS is configured to use Microsoft Active Directory / LDAP for authentication of AD/LDAP usernames who are members of SonicWALL Administrator groups.   Tier1Net’s infrastructure is not exposed to this vulnerability.  However, to mitigate against possible future exposure, Tier1Net will be performing firmware updates on all Dell SonicWALL firewalls within its network infrastructure.

If you have questions or concerns about this matter, please contact Tier1Net.

 

 

 

Attention Tier1Net Clients:

We have heard reports of a widespread phishing scam posing as a legitimate American Express email.   Tier1Net is actively adding rules to block access to this phishing website across all managed firewalls.  Meanwhile, Tier1Net recommends alerting all users of this potential phishing scam and advising them to delete any suspicious American Express emails upon receipt.

The phishing email may contain the subject: “American Express – Safe Key” and claim to inquire about “recent charges on your account.”

If you receive this email, please delete it and do not click on any links within the email.  Clicking on the link within this email will take you a fraudulent webpage, requesting that you enter in sensitive information.  If you visit this page: do not enter any sensitive information.

If you believe you have accidentally clicked this link, and/or have entered any information on the phishing webpage, please contact Tier1Net immediately.

A screenshot of the phishing email is included below.

 

 

Two days ago, Hold Security revealed that Russian hackers have amassed over 1.2 billion usernames and passwords from various websites. The Milwaukee based firm would not elaborate on which websites were targeted, or how users could know if their credentials had been compromised.  Experts from within the firm, who played a role in identifying the previous security breaches with Adobe Systems and Target, say the latest Russian hacking scheme could be “the largest data breach known to date.”

Since the announcement, the scope and urgency of Hold Security’s claim has been questioned, with some arguing that the 1.2 billion usernames were amassed over multiple years via several hacking events: Stewart Baker, a partner at Steptoe & Johnson LLP and former general counsel of the National Security Agency, said, “1.2 billion is a very big number. If they got there by assembling two years’ worth of hacks, it is less impressive.”

Nevertheless, Tier1Net wants our clients to be aware that none of their Tier1Net hosted websites were affected by this alleged breach.

Meanwhile, we encourage all web users to review the Best Practices for Safe Web Use.

Please review Tier1Net’s Best Practices for Safe Web Use below.

1. Regularly change your passwords for any sites that contain sensitive information, such as anything related to your finances, healthcare, credit cards, and banking information.

2. Do not use the same password across multiple sites.

3. Do not store your online logins/passwords in a file on your computer.

4. Regularly review your bank, credit card, financial, and healthcare statements for accuracy. Report unknown or suspicious activity immediately to the account provider.

5. When offered by an online provider, always opt for two-factor authentication. Two-factor authentication relies on a second set of credentials for access (beyond your password.)

6. Proceed with caution.   When large scale malicious activity is reported, always assume that your accounts may have been targeted, and take the appropriate actions – such as changing your passwords – to safeguard against information breaches.

If you have questions about this latest security breach, or how to keep your web activity secure, please contact us.

Thanks,

Tier1Net

 

Researchers have just identified a vulnerability in OpenSSL software.   This vulnerability is known as the “Man in the Middle” threat, or MitM.

The MitM threat allows a hacker to potentially intercept and decrypt data transmitted between vulnerable clients and servers.

How Does MitM Work?

The attacker would create a fake “handshake” in between two devices that would allow them to believe that the attacker is a valid target. The attacker can use the key material to decrypt/modify traffic at their will. However, the attacker would need to be in the “man-in-the-middle” position on the network (in between the two devices) in order to exploit this vulnerability.

Wireless networks are at a higher risk of this MitM attack as they are more readily available and users could connect to any unsecured (and secured) network without a second thought.

 

Who Does MitM Affect?

MitM threat affects all versions of the OpenSSL Client.  Fortunately, Tier1Net’s Professional Services clients do not use OpenSSL for Windows Servers or Certificates, so those devices are not vulnerable to the threat.  Tier1Net’s web servers do not use OpenSSL for websites hosted on its backbone.

However, the OpenSSL technology is used in some Sonicwall SSLVPN devices.  Sonicwall SSLVPN devices may be affected by the MitM threat.

 

What is Tier1Net doing?

Tier1Net is in the process of upgrading the firmware of all potentially affected SSLVPN devices.  This firmware upgrade will protect against the MitM vulnerability.

Tier1Net has sent notices to all potentially affected clients.

 

For more information on the MitM Vulnerability, please click the sources below:

https://www.openssl.org/news/secadv_20140605.txt

http://threatpost.com/new-openssl-mitm-flaw-affects-all-clients-some-server-versions/106470

As seen in the news Microsoft has disclosed that there is a significant security vulnerability in Internet Explorer.

Here is a link describing the vulnerability in depth: http://www.zdnet.com/microsoft-discloses-zero-day-in-all-versions-of-internet-explorer-7000028803/

The important takeaways are that Microsoft has not released a patch for the vulnerability at this time and the vulnerability is already being exploited in limited attacks. It is a serious enough issue that the Dept of Homeland Security has released an advisory recommending that people not use Internet Explorer until it is patched. Also, since Windows XP is no longer supported by Microsoft they will not be releasing a patch for XP.

Most networks should have several layers of protection to mitigate exposure to the vulnerability. First thing to note is that a user will have to open a website that exposes the vulnerability in order for their PC to be attacked. A user would not be exposed simply by using Internet Explorer on legitimate websites. The most common attack vector will likely be phishing attempts sent via email that will try to trick users into clicking links to open a website with IE which would then expose the vulnerability. Tier1net’s McAfee Antispam/Antivirus service would quarantine those emails as spam, and/or modify the URL to pass it through its ClickProtect proxy. So, even if the user clicked the link and opened it with IE, McAfee should block the URL from loading within the browser.

All that being said, Tier1net recommends that Chrome or Firefox be used in place of Internet Explorer until a patch is released. Regarding Windows XP, since the patch will not be made available to XP PCs, Tier1net suggests installing Google Chrome on all XP PCs and setting it as the default browser. Tier1net’s Managed IT customers can have this process fully automated with no disruption to end users.

As always please contact Tier1net Support should you have any questions or concerns relating to this issue.

Earlier this week, a very serious vulnerability was discovered with OpenSSL software.  This vulnerability, dubbed “Heartbleed” has existed for over two years.   Uncovered just last week, it has generated a lot of attention and driven thousands of websites and services into “patch mode.”  Please read below for some answers to frequently asked questions regarding Heartbleed.

 

How Does Heartbleed Work?

Heartbleed targets systems that are running versions 1.0.1 through 1.0.1f of the OpenSSL software.  There is a vulnerability in these OpenSSL versions that allow hackers to access the memory of systems running OpenSSL.  By accessing this memory, hackers can gain secret “keys” with which they may decrypt or “eavesdrop” on SSL encrypted communications.  Also by accessing this memory, hackers may access the usernames, passwords, and other confidential information normally secured by SSL technology.

 

Who Does Heartbleed Affect?

In essence, Heartbleed affects everyone that uses the Internet.  But the action plan to safeguard against this vulnerability will vary based on if you’re a Business Owner who is managing an OpenSSL site or service, or if you’re just an Internet User.

 

How Can I Tell If I’ve Been Impacted?

Unfortunately, there is no way to know if your OpenSSL website or service was targeted over the past two years.  And while the likelihood may be very low that your site or service was infiltrated, Tier1Net recommends taking all appropriate actions to safeguard against this vulnerability.  We have outlined these actions below.

 

What Should I Do?

From a Business Owner’s perspective, your priority is to ensure that traffic over your network is secure:

  1. Any business using OpenSSL 1.0.1 through 1.0.1f must update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension
  2. Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL
  3. Businesses should communicate to their clients/users if an OpenSSL vulnerability exists and when it has been “patched”
  4. As a best practice, businesses should also consider resetting enduser passwords that may have been visible in a compromised server memory
  5. Lastly, businesses should wait for instructions from their vendors (SaaS, webhost providers, third party apps, etc) on how to proceed.
  6. Businesses should not change their passwords till their vendors has instructed them to do so.

From a general Internet User’s perspective, your priority is to change your passwords when prompted and monitor your online accounts closely:

  1. Internet Users should be aware their data could have been seen by a third party if they used a vulnerable service provider
  2. Users should Monitor any notices from the vendors you use (Facebook, Google, etc).  Business Owners (Vendors) will likely suggest password resets.
  3. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so immediately.
  4. Users should not change their passwords before a vendor has instructed them to do so.
  5. Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
  6. Follow CNET’s Heartbleed Tracker to track which popular sites have patched the vulnerability.

 

What is Tier1Net doing?

Tier1Net has sent notices to its clients regarding the Heartbleed Vulnerability.  Tier1Net’s Professional Services clients do not use OpenSSL for Windows Servers or Certificates, so those devices are not vulnerable to the threat.  Tier1Net’s web servers do not use OpenSSL for websites hosted on its backbone.

However, certain Remote Access Devices, such as Sonicwall SSLVPN, may need firmware upgrades and patches.

Tier1Net is in direct contact with Sonicwall and several other hardware/software manufacturers to review the vulnerable devices and to develop appropriate action plans.

Tier1Net is also actively conducting a thorough review of any other potential devices within its clients’ networks that may be affected by this vulnerability.

Though there is no evidence that indicates this vulnerability has been previously exploited by hackers, Tier1Net recommends treating this vulnerability seriously and taking all appropriate security measures to protect yourself and your business.

 

For more information on the Heartbleed Vulnerability, please click the sources below:

 

http://heartbleed.com

http://www.symantec.com/connect/blogs/heartbleed-openssl-take-action-now

http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

As of April 8, 2014, support for Windows XP, including security updates and patches, will cease.

The lack of security updates will put Windows XP machines at significant risk of infection.  Without critical Windows XP security updates, machines running XP may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage business data and information.   Antivirus Software and Network Perimeter Intrusion Protection alone will not be sufficient protection against future security vulnerabilities discovered within the Windows XP operating system

Businesses that adhere to strict regulatory guidelines (HIPAA for example) and continue to use Windows XP machines may find themselves out of compliance after April 8th.

Third party applications, and peripheral hardware, are also subject to incompatibility with Windows XP machines after April 8th.

Tier1Net recommends replacing Windows XP machines with new devices running Windows 7 Professional or higher. 

Please contact Tier1Net for more information or assistance.

Regards,

Tier1Net, Inc.

 

Also retiring on April 8th: Microsoft Office 2003 will reach end-of-support on April 8, 2014.  Users are encouraged to upgrade to Office 2013.

 

Read more here:

http://windows.microsoft.com/en-us/windows/end-support-help

http://www.av-test.org/en/news/news-single-view/artikel/microsoft-puts-xp-in-the-firing-line/

 

URGENT:

A ransomware virus called “CyptoLocker” is currently in circulation.  A user who is infected with CryptoLocker can potentially encrypt, or “lockdown”, every file on your network.  Once encrypted, these files may remain inaccessible indefinitely.

The CryptoLocker virus is typically spread through emails sent by fraudulent customer support representatives of Fedex, UPS, DHL, etc.  These fraudulent emails will usually reference something about your tracking number or account, and will contain a zip attachment that carries the virus.  The zip attachment is often disguised as a harmless pdf file.

Emails containing this virus may be blocked by various threat mitigation tools already in place on your network, such as Firewall/Email Filtering and Desktop AntiVirus.  However, because of the potential severity of this virus, Tier1Net recommends using extra caution when opening email attachments.

Tier1Net urges you to remind employees to use diligence when opening email attachments or clicking on links within email. 

If someone at your company believes they have been infected with the CryptoLocker virus, please disconnect their machine from the network immediately and contact Tier1Net.

For more information, please read the release below, from the National Cybersecurity and Communications Integration Center:

TA13-309A: CryptoLocker Ransomware Infections

Original release date: November 05, 2013 | Last revised: November 06, 2013

Systems Affected

Microsoft Windows systems running Windows 7, Vista, and XP operating systems

Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.  In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.  If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.  US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Solution

Prevention

US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

  • Do not follow unsolicited web links in email messages or submit any information to webpages in links
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments
  • Maintain up-to-date anti-virus software
  • Perform regular backups of all systems to limit the impact of data and/or system loss
  • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity
  • Secure open-share drives by only allowing connections from authorized users
  • Keep your operating system and software up-to-date with the latest patches
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks

 

Why can email attachments be dangerous?

Some of the characteristics that make email attachments convenient and popular are also the ones that make them a common tool for attackers:

  • Email is easily circulated – Forwarding email is so simple that viruses can quickly infect many machines. Most viruses don’t even require users to forward the email—they scan a users’ computer for email addresses and automatically send the infected message to all of the addresses they find. Attackers take advantage of the reality that most users will automatically trust and open any message that comes from someone they know.
  • Email programs try to address all users’ needs – Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send.
  • Email programs offer many “user-friendly” features – Some email programs have the option to automatically download email attachments, which immediately exposes your computer to any viruses within the attachments.

What steps can you take to protect yourself and others in your address book?

  • Be wary of unsolicited attachments, even from people you know – Just because an email message looks like it came from your mom, grandma, or boss doesn’t mean that it did. Many viruses can “spoof” the return address, making it look like the message came from someone else. If you can, check with the person who supposedly sent the message to make sure it’s legitimate before opening any attachments. This includes email messages that appear to be from your ISP or software vendor and claim to include patches or anti-virus software. ISPs and software vendors do not send patches or software in email.
  • Keep software up to date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.
  • Trust your instincts – If an email or email attachment seems suspicious, don’t open it, even if your anti-virus software indicates that the message is clean. Attackers are constantly releasing new viruses, and the anti-virus software might not have the signature. At the very least, contact the person who supposedly sent the message to make sure it’s legitimate before you open the attachment. However, especially in the case of forwards, even messages sent by a legitimate sender might contain a virus. If something about the email or the attachment makes you uncomfortable, there may be a good reason. Don’t let your curiosity put your computer at risk.
  • Save and scan any attachments before opening them- If you have to open an attachment before you can verify the source, take the following steps:
    1. Be sure the signatures in your anti-virus software are up to date.
    2. Save the file to your computer or a disk.
    3. Manually scan the file using your anti-virus software.
    4. If the file is clean and doesn’t seem suspicious, go ahead and open it.
  • Turn off the option to automatically download attachments – To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option, and make sure to disable it.
  • Consider creating separate accounts on your computer – Most operating systems give you the option of creating multiple user accounts with different privileges. Consider reading your email on an account with restricted privileges. Some viruses need “administrator” privileges to infect a computer.
  • Apply additional security practices – You may be able to filter certain types of attachments through your email software or a firewall.

Both the National Cyber Security Alliance and US-CERT have identified this topic as one of the top tips for home users.

Authors

Mindi McDowell and Allen Householder