Cyber security roundup, 16th May 2017

This is a fortnightly roundup of cyber security news relevant to IT managers in the UK. If you find it useful, subscribe to updates in the sidebar.

  • WannaCry Ransomeware – There is a huge amount of news coverage on this already. In terms of mitigation, the short version is patch your systems, and run Microsoft systems that are supported (Please note, unusually, Microsoft has released a security patch for the no longer supported Windows XP and Windows Server 2003). The longer mitigation version includes; worms are not a thing of the past, and have a defence in depth approach that involves disabling legacy protocols (in this case SMBv1).
  • Intercepting SMS security codes to hack bank accounts –  For anyone that doesn’t know, mobile telephone communications, can be intercepted due to vulnerabilities in the signalling protocol called SS7. The vulnerabilities allow calls and text messages to be redirected. Confirmation of a real exploit of this vulnerability has been made to gain access to SMS validations codes provided to banking customers. The first stage attack was a traditional computer virus to gain user name and password details, the second stage compromised the SMS code. The vulnerability in SS7 remains, and this attack vector remains open to motivated hackers. “Proper” two factor authentication should use a token to generate keys rather than sending by SMS (NIST now discourages SMS based authentication).
  • Telnet vulnerability on certain Cisco devices – Initially identified in March as a result of the CIA “Vault 7” disclosure on Wikileaks, Cisco recommended disabling telnet in preference for SSH on effected devices. Now an IOS update that has been made available.
  • Diplomatic, Military and banks with offices in the middle east – If you fit into those categories read more at the FireEye blog. Regardless if you fit into the category, a recent Microsoft security update, means the ability to insert Encapsulated PostScript (EPS) graphics into Office documents will no longer work by default.
  • The Guardian dating site leak – Soulmates, has leaked an amount of user IDs and emails. The cause of the breach has been identified as a third party provider. This highlights that information security considerations apply to the full supply chain of a company, not just your company in isolation.
  • Intel remote management (AMT) vulnerability – If you have enabled Intel remote management capability then beware of a critical vulnerability. Great write-up and suggested mitigations here.
  • Microsoft updates – Patch Tuesday, on 9th May, released various fixes including for a number of zero day vulnerabilities reportedly relevant to espionage of diplomats and military targets. The best breakdown of the patches is here.
  • Adobe updatesAdobe Flash updates to address priority 1 vulnerabilities, released 9th May.
  • Cisco Webex – If you have your own meeting server, beware that a vulnerability could allow unauthenticated, remote attackers to gain information that could allow them to access scheduled customer meetings.
  • Key logger on HP devices – Code that logs keystrokes and used for debug on test machines has been shipped on commercial products. The result is keystrokes are logged to a local file. HP has an announcement on the models impacted and fixes available.
  • President Trump signs Executive Order on cyber securityThe order, amongst other things, requires government agencies to use the NIST Framework for Improving Critical Infrastructure Cybersecurity, and provide a risk report within 90 days. The NIST Framework is the best I have personally seen. I wonder how well UK government agencies would cope with a similar requirement.