Attention McAfee Email Protection Clients:

McAfee has released the following service alert:

“A network issue in North America has impacted Web Protection and Email Protection traffic  for some customers.  We are in the process of enacting our emergency failover processes to try and restore service as soon as possible.

Web Protection customers may experience issues connecting to the proxy service and Email Protection customers may see delays in both inbound and outbound mail processing.

There may also be ancillary services that see degraded performance as well such as Quarantine release, ClickProtect, Control Console access, Message Continuity Unspool, and Archiving ingest.”

For more information, please see https://support.mcafeesaas.com/mcafee/_cs/BusinessDisplay.aspx?sSessionID=&did=1

Tier1Net has received increased reports of legitimate emails being delayed with the senders receiving a temporary failure message of  “451 Exceeding Connection Limit: RBLDNSD.”

Tier1Net has traced the issue to a new Spam Flood Prevention policy recently enabled by McAfee.  This new policy was designed to reduce the impact of certain spam campaigns characterized by unusual spikes in traffic over short periods of time, by withholding delivery until traffic returns to a normal threshold.

However, Tier1Net has observed a high volume of “false positive” delays, wherein McAfee identifies legitimate senders as spam campaigns.

As a result, Tier1Net has disabled the McAfee Spam Flood Prevention feature for all of its McAfee Email Protection customers.

For more information, please visit https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=16814425079KXWEWWRBBBBIZKVKUXMZPPKRORQWW&aid=271042

As of 4/14/2015, the Google Chrome browser version 42.xx and above will no longer directly support the Java platform.

Java relies on NPAPI, an API first introduced over twenty years ago.   Google feels that NPAPI’s “90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity.”   For these reasons, Google Chrome no longer supports NPAPI, which means the Java Platform will no longer work in Google Chrome.

Users experiencing issues with Java in Chrome may follow either of these workarounds:

1. Switch to a NPAPI supported web browser, such as Internet Explorer 11 or Mozilla Firefox.

2. Manually re-enable NPAPI in Google Chrome using the steps below.  (Note: This workaround will be removed by Chrome in September 2015 or earlier.)

  1. Paste the following link into your Google Chrome browser: chrome://flags/#enable-npapi
  2. Click “Enable” under NPAPI.  (If you see the word “Disable,” then it is already enabled.)
  3. After enabling NPAPI, click the “Relaunch Now” button at the bottom of the page or the changes will not take effect.

 

http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html

 

A cyberattack against JPMorgan Chase last summer, which affected 76 million households, could have been prevented by a simple security fix, experts say.

Had JPMorgan Chase implemented TWO-FACTOR AUTHENTICATION on all of their servers, the breach would likely not have occurred.  From Dealbook at the New York Times:

“Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion.”

Two-factor authentication adds a second layer of authentication to login procedures, beyond the username/password combination.  This second layer of authentication makes it increasingly difficult for hackers to remotely access your data.

Two-factor authentication can be established many ways, but the basic principle is to combine 1. SOMETHING YOU KNOW (like a username/password combination) with 2. SOMETHING YOU HAVE (like a key fob, mobile phone, or biometric fingerprint.)

Tier1Net recommends implementing two-factor authentication on all publicly accessible remote access portals.  The Sonicwall SRA appliance leveraged by many Tier1net customers has this capability bundled into its standard operating system.  This feature known as ONE-TIME PASSWORD or OTP works by challenging an authenticated user with a request for a second password.  The second password is sent from the device to the user via text message.  Upon each subsequent login, the user will receive a different one-time password for access.

Recently Tier1Net has been implementing all new Sonicwall SRAs with this secure configuration by default, and strongly recommends enabling it for all production appliances currently configured for single factor authentication.

Thanks and Happy Holidays!

Tier1Net

 

Read More: http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/

 

Countdown to Windows Server 2003 End of Support Date

The deadline for upgrading Windows 2003 Servers is fast approaching.

In July of 2015, Microsoft will be discontinuing support for Windows 2003 Operating Systems.

After that time, servers running Windows 2003 will no longer receive critical security updates and patches.

The US Department of Homeland Security has released a statement urging users to upgrade their systems prior to the End-of-Support date:

“Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.”

 

Tier1Net has been reaching out to individual clients who are still using Windows 2003 Operating Systems in their environments to discuss migration plans.

If you have questions about the Windows 2003 Server End-of-Support or migration process, please contact us.

 

Further Reading:

http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/

https://www.us-cert.gov/ncas/alerts/TA14-310A

The POODLE vulnerability, or “Padding Oracle On Downgraded Legacy Encryption”, is a new security threat found within existing, though outdated, encryption technology.

This vulnerability is not as threatening as Heartbleed or Shellshock which could both be exploited via direct attack vectors. The POODLE vulnerability requires a man in the middle attack vector in order to be exploited.

Unfortunately this vulnerability does not have a specific solution or patch but rather multiple methods of reducing risk to exposure.  Experts at Google, Microsoft, Mozilla, and others, have all posted possible methods to mitigate against the POODLE vulnerability.

Tier1Net is actively following all POODLE developments and will release a more detailed notice with information regarding the vulnerability and steps that can be taken to reduce exposure.

This vulnerability is not as threatening as Heartbleed or Shellshock

POODLE exposes a vulnerability in an outdated – but still used – web encryption technology SSL 3.0.  Modern web browsers are designed to prefer the newer TLS encryption protocol when accessing a service secured via SSL.  But most browsers will still accommodate SSL 3.0 traffic, if the host or client demands it.  SSL 3.0 traffic, however, exposes a unique vulnerability for attackers to decrypt data sent between the client and server.

The conditions that are required for the attack to be applicable are hard to obtain.

It would not be easy to exploit this vulnerability however.  “The conditions that are required for the attack to be applicable are hard to obtain.” said Itsik Mantin, director of security research at Imperva. “In particular, the attacker needs to become a man-in-the-middle between the attacked client and server, and to generate, block and modify client messages to the server and vice versa.”  An attacker could then theoretically force the host/client connection to “fallback” to SSL 3.0, where the attacker could then potentially access data.  An attack such as this would most likely occur on an unsecured public network, such as a Wi-Fi network at an airport.

In order to safeguard against POODLE, SSL 3.0 fallback must be blocked on all levels.  Due to the scope and complexity of possible SSL 3.0 usage, a permanent blocking solution is not yet agreed upon.  Blocking SSL 3.0 prematurely could break many existing websites: potentially blocking users from accessing a client’s own site, and also blocking employee’s from accessing business critical sites.

Tier1Net is actively following all recommendations and will keep its clients apprised of new developments.

 

https://www.openssl.org/news/secadv_20141015.txt

https://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844

http://www.pcworld.com/article/2834015/security-experts-warn-of-poodle-attack-against-ssl-30.html

 

 

Dell SonicWALL has identified multiple LDAP authentication protocol vulnerabilities exposed when SonicOS is configured to use Microsoft Active Directory / LDAP for authentication of AD/LDAP usernames who are members of SonicWALL Administrator groups.   Tier1Net’s infrastructure is not exposed to this vulnerability.  However, to mitigate against possible future exposure, Tier1Net will be performing firmware updates on all Dell SonicWALL firewalls within its network infrastructure.

If you have questions or concerns about this matter, please contact Tier1Net.

 

 

 

Attention Tier1Net Clients:

We have heard reports of a widespread phishing scam posing as a legitimate American Express email.   Tier1Net is actively adding rules to block access to this phishing website across all managed firewalls.  Meanwhile, Tier1Net recommends alerting all users of this potential phishing scam and advising them to delete any suspicious American Express emails upon receipt.

The phishing email may contain the subject: “American Express – Safe Key” and claim to inquire about “recent charges on your account.”

If you receive this email, please delete it and do not click on any links within the email.  Clicking on the link within this email will take you a fraudulent webpage, requesting that you enter in sensitive information.  If you visit this page: do not enter any sensitive information.

If you believe you have accidentally clicked this link, and/or have entered any information on the phishing webpage, please contact Tier1Net immediately.

A screenshot of the phishing email is included below.

 

 

Two days ago, Hold Security revealed that Russian hackers have amassed over 1.2 billion usernames and passwords from various websites. The Milwaukee based firm would not elaborate on which websites were targeted, or how users could know if their credentials had been compromised.  Experts from within the firm, who played a role in identifying the previous security breaches with Adobe Systems and Target, say the latest Russian hacking scheme could be “the largest data breach known to date.”

Since the announcement, the scope and urgency of Hold Security’s claim has been questioned, with some arguing that the 1.2 billion usernames were amassed over multiple years via several hacking events: Stewart Baker, a partner at Steptoe & Johnson LLP and former general counsel of the National Security Agency, said, “1.2 billion is a very big number. If they got there by assembling two years’ worth of hacks, it is less impressive.”

Nevertheless, Tier1Net wants our clients to be aware that none of their Tier1Net hosted websites were affected by this alleged breach.

Meanwhile, we encourage all web users to review the Best Practices for Safe Web Use.

Please review Tier1Net’s Best Practices for Safe Web Use below.

1. Regularly change your passwords for any sites that contain sensitive information, such as anything related to your finances, healthcare, credit cards, and banking information.

2. Do not use the same password across multiple sites.

3. Do not store your online logins/passwords in a file on your computer.

4. Regularly review your bank, credit card, financial, and healthcare statements for accuracy. Report unknown or suspicious activity immediately to the account provider.

5. When offered by an online provider, always opt for two-factor authentication. Two-factor authentication relies on a second set of credentials for access (beyond your password.)

6. Proceed with caution.   When large scale malicious activity is reported, always assume that your accounts may have been targeted, and take the appropriate actions – such as changing your passwords – to safeguard against information breaches.

If you have questions about this latest security breach, or how to keep your web activity secure, please contact us.

Thanks,

Tier1Net

 

Researchers have just identified a vulnerability in OpenSSL software.   This vulnerability is known as the “Man in the Middle” threat, or MitM.

The MitM threat allows a hacker to potentially intercept and decrypt data transmitted between vulnerable clients and servers.

How Does MitM Work?

The attacker would create a fake “handshake” in between two devices that would allow them to believe that the attacker is a valid target. The attacker can use the key material to decrypt/modify traffic at their will. However, the attacker would need to be in the “man-in-the-middle” position on the network (in between the two devices) in order to exploit this vulnerability.

Wireless networks are at a higher risk of this MitM attack as they are more readily available and users could connect to any unsecured (and secured) network without a second thought.

 

Who Does MitM Affect?

MitM threat affects all versions of the OpenSSL Client.  Fortunately, Tier1Net’s Professional Services clients do not use OpenSSL for Windows Servers or Certificates, so those devices are not vulnerable to the threat.  Tier1Net’s web servers do not use OpenSSL for websites hosted on its backbone.

However, the OpenSSL technology is used in some Sonicwall SSLVPN devices.  Sonicwall SSLVPN devices may be affected by the MitM threat.

 

What is Tier1Net doing?

Tier1Net is in the process of upgrading the firmware of all potentially affected SSLVPN devices.  This firmware upgrade will protect against the MitM vulnerability.

Tier1Net has sent notices to all potentially affected clients.

 

For more information on the MitM Vulnerability, please click the sources below:

https://www.openssl.org/news/secadv_20140605.txt

http://threatpost.com/new-openssl-mitm-flaw-affects-all-clients-some-server-versions/106470