So you have been cruising along at your business for years and all has been great, but now, out of the blue, people on your network are having trouble viewing websites.

You found that if you reboot that firewall (pull the plug on the thing since there is no power supply) that YOU get back online right away, but then later that day, someone else on the network is now having trouble accessing websites so you reboot the firewall and all is well, for a while.

What could it be? It MUST be the firewall going bad since that fixes it.

Before jumping to that conclusion and just replacing the device, think back. Has your company grown? Maybe you have added a few new employees, or, maybe you have added tablets or other connected devices.

What could be happening here is that you have added one too many devices to your network and exceeded the number of seats that your firewall appliance supports. When you originally purchased that device, a technician counted the number of computers, servers and connected devices and said “You need a 25 user firewall and it will cost $xxx.xx”, to which you agreed and promptly forgot about.

Now, flash forward to today and your 12 users and a server have grown to 15 users, two servers and many people have iPads or Android tablets or phones, taking you past the 25 user limit.  The last person to connect once you go over the limit will generally be denied access to websites by the firewall, as a warning that you have exceeded the license terms, and it probably won’t “reset” just by turning that computer off, you will have to reboot the firewall to free unused seats up.

So what are you going to do about it? I guess you could tell the employees to stop connecting their personal phones to your network, or you could replace the firewall with a cheap router that has no limitations.

Both will work, but are bad ideas.

The real solution is to correct the licensing issue. Determine how many connected devices you have within your network, and estimate how many you will need for the next year, then talk to a vendor who can provide the proper licenses and apply those for you. Don’t forget to include VoIP and security systems, even copiers and connected printers, as they may require a seat too.

If you are experiencing rapid growth, consider upgrading to an unlimited license.

Just a note – If you have an old device, say 4-5 years old, now may be the time to consider upgrading the entire device to the latest technology at the same time you correct the user limitation!

Should you require help with this, Homeland Secure IT offers sales and support of most major brands of firewalls. We partner with Cisco, WatchGuard, SonicWALL, TrendNet, D-Link, NetGear and more! Call us for more information in the Greenville / Upstate SC area – 864.990.4748 or email info@homelandsecureit.com

Watchguard, provider of quality firewall and security products for small, media and enterprise business made a “Social Media Release” today that outlines a list of PCI Pitfalls for Retailers.

It is quoted below  in its entirety but can be found here.

I’ll be posting about the new WatchGuard XTM 33 designed for Small/Medium businesses, and may be ideal for retailers!

Should you wish to purchase a WatchGuard product, receive more information or support, please call us at 864.990.4748 or email info@homelandsecureit.com… We are a WatchGuard partner!

—

Social Media Release:
WatchGuard Lists PCI Pitfalls for Retailers

NEW YORK (January 16, 2012) – WatchGuard Technologies

Highlights / News Facts:

Businesses that process, transmit or store cardholder data must implement security controls as defined by the latest PCI DSS standard. The following are the nine common PCI DSS compliance pitfalls that many retailers fall into and tips to avoid them.

• 1) Faulty firewall installation or configuration
  Many DIY (do it yourself) projects are easy; properly configuring a firewall is not one of them. According to WatchGuard research, a majority of small business security breaches are the result of improperly configured firewalls. Best practice: Use security certified technicians or trained resellers to ensure firewall configurations are proper and up to date; regularly audit firewall configurations as people and IT resources constantly change.
• 2) Relying on vendor supplied defaults for system passwords
  Not only is it critical to change vendor supplied default passwords, be sure to use something other than “password” as a password. According to a recently published research report, the most common passwords are: 1) password, 2) 123456, 3) 12345678, 4) qwerty, 5) abc123, 6) monkey, 7) 1234567, letmein, 9) trustno1, and 10) dragon. Best practice: Change vendor settings and utilize strong passwords.
• 3) Failing to utilize IPS to protect stored cardholder data
  There are multiple ways to help protect stored cardholder data. One key technology that is often overlooked is IPS (intrusion prevention systems). IPS is to hackers as anti-virus is to viruses. IPS keeps hackers out and helps cardholder data stay safe. Best practice: Make sure intrusion prevention systems (IPS) are up and running.
• 4) Not encrypting transmission of cardholder data across open, public networks
  Encryption is a key component to PCI DSS compliance. A common problem occurs in the transmission of credit card data, which is often done in unencrypted email. Best practice: Use encryption everywhere, and especially in email systems where any type of sensitive information may be transmitted.
• 5) Failing to use and regularly update anti-virus software or programs
  Unlike desktop/endpoint anti-virus (AV), gateway anti-virus stops threats right at the entry point of a network. Using gateway AV adds an additional layer of defense at the primary point of attack, and because it functions at the gateway, users see no degradation of performance on their local computer. Best practice: Use gateway AV in addition to endpoint AV for maximum defense in depth.
• 6) Not maintaining secure systems and applications
  Many businesses do a good job at maintaining secure systems, however what is often overlooked in today’s social media business world is application security. Most firewalls are incapable of distinguishing a web application from a website. Because of this, crafty cyber-crooks create web applications as a way to sneak past the firewall and steal cardholder data. Best practice: To gain control over web applications, businesses utilize the latest generation of UTMs and firewalls that include application control.
• 7) Providing access to cardholder data to those who do not need to know
  About 80 percent of security violations happen from within an organization. In order to reduce that figure, businesses should use the “least privilege rule,” which parallels the same concept of “need to know.” Users should be granted the minimum necessary permissions and privileges that are required for them to accomplish their jobs. When employees have access to data that they should not, bad things often result. Best practice: Use RBAC (role based access controls), separation of duties and other forms of “least privilege” to make sure data is restricted to those who absolutely must have access to it.
• Forgetting to track and monitor all access to network resources and cardholder data
  Unfortunately, many businesses take a “fire and forget” approach to network security; once the firewall is set, they forget to check the reports. Many security breaches can me mitigated early on simply by checking reports and logs on a regular basis. Best practice: Establish a routine of checking logs and reports to spot trouble before it blossoms into headline security news.
• 9) Not having an information security policy
  In order to meet PCI compliance, businesses must create an information security policy that is up to date, and that addresses the security requirements as proscribed by PCI DSS. This should also include operational security, system usage, security management and other related policies. Best practice: Get IT, HR and other business stakeholders to regularly review information security policies.

Keywords:

PCI DSS, Network Security, Firewall, Cardholder Data, Passwords, Encryption, IPS, Anti-Virus, Application Control, Next-Generation UTM, Policy

Quote:

• “The PCI DSS standard is a model that many businesses – even non-retailers can look to in order to maintain best security practices,” said Eric Aarrestad, Vice President at WatchGuard Technologies. “The devil is in the details when it comes to security. Hopefully, this quick list helps remind businesses owners and IT management that little things can make a big difference in preventing data loss.”

Do you have a unified threat management or spam protection device that is not from WatchGuard?

If so, and you would like to upgrade to the WatchGuard XTM or XCS series UTMs, then through December 2011 you can take advantage of their offer to allow trade-ins of competitor’s appliances for a three-year XTM Security Bundle on selected models or a three-year XCS Email Security Bundle and pay ONLY for the services.

You get the box for free!

Some of the brands that are acceptable trade-ins are:

• Aastaro
• Barracuda
• Cisco
• Clearswift
• Fortigate
• IronPort
• Juniper
• M86 MailMarshal
• McAfee Email Gateway
• ProofPoint
• SonicWall
• St. Bernard
• Symantec
• Trend Micro

For more information, please contact your WatchGuard reseller, or if you’re in the Greenville / Upstate SC area, please call Homeland Secure IT at 864.990.4748 or email info@homelandsecureit.com

SecurityFocus has two posts indicating that Cisco IOS 15.0 is vulnerable to attackers.

Both are DoS (Denial of Service) issues and at this time there is no solution being offered from Cisco to correct the problem.

Should your network be non-responsive, you could attempt to reboot your Cisco device to restore connectivity.

The original posts are as follows:

Cisco IOS UDP Denial of Service Vulnerability

Cisco IOS SNMP Message Processing Denial Of Service Vulnerability

Homeland Secure IT is a Cisco partner and can apply the IOS updates when they become available. We are also partners with and offer sales & support of SonicWall, WatchGuard and other firewall/router manufacturers. If this issue becomes of concern for you or your business, we can provide alternative products which are not vulnerable.  In Greenville / Upstate SC, call 864.990.4748 or email info@homelandsecureit.com

I am reposting this from WatchGuard Security Center blog in its entirety below.  I have kept fairly silent on this subject as everyone has said everything that needs to be covered. Corey did a fine job of outlining the situation though, so for your reading enjoyment:

On Tuesday, Sony officially disclosed a humongous data breach against the Playstation Network or PSN (recently renamed to Qriocity), which allowed external attackers to get their hands on the Personally Identifiable Information (PII) of around 77 million gamers. Worse yet, they may have even stolen their credit card information, too.

If you read security news, or follow me (@SecAdept) on Twitter, you’ll know this incident has been brewing for around a week now. It first started last Wednesday, when PSN went down for all Playstation 3 users. At the time, I’d imagine that most customers assumed the outage was some sort of routine maintenance. However, with Sony recently coming out of a DDoS battle with “Anonymous” over the Geohot Playstation hacking lawsuit, paranoid security professionals like me suspected this outage might be related to more “Anonymous” hijinks. Unfortunately, we have since learned that that wasn’t the case (I wish it was).

Over the next few days, the story continued to slowly unfolded, mostly on security and gaming sites. Sony blog posts (some which were later removed) eventually admitted that the issue may be related to an “external intrusion.” However, Sony was not quick to confirm the details, or share what the attackers got. If you are interested in how the story slowly unfolded, PCWorld has a great timeline of the incident. In any case,  Sony finally sent an email to all its PSN subscribers Tuesday night, sharing exactly what the bad guys stole — and unfortunately the cretins hit pay dirt.

If you’d like to read Sony’s email in full, check out this forum post, but I’ll quickly highlight what it claims the attackers stole from all PSN subscribers:

• Your name,
• address (city, state, zip),
• country,
• email address,
• birthdate,
• PSN password and login
• PSN online ID and handle
• purchase history,
• billing address (may be different than normal one),
• security answers,
• and possibly even your credit card information (excluding security code)

Unfortunately, this is a huge repository of valuable information for identity thieves and attackers wishing to target your other online accounts. On the surface, the biggest concern is whether or not attackers gained access to credit card (CC) numbers.  Sony is not very clear on this count. They claim they have no evidence to suggest so. However, they immediately backpedal, saying they cannot rule out the possibility. A more recent Sony Blog update has at least shared that the CC date was encrypted, and that they didn’t store any security code info for CCs. Well, at least that’s semi-good news.

So what’s a PSN subscriber to do?

Being one myself, I immediately asked myself that very question. Here’s what I’ve come up with:

1. Do you follow best password handling practices? If not, change your passwords. One well known, but often ignored, password security practice is that you should NOT use the same password everywhere. Unfortunately, many people, including security professionals, don’t follow this practice. If you are one of those people, the first thing you need to do is go to all the important sites you visit and change your password. If someone has your email address and a password, that will get them into many popular sites you may frequent.
2. Cancel/change your credit card. This one really sucks. It can be a pain to get new credit cards, mostly when you don’t know for sure whether it is entirely necessary. Unfortunately, I have to lean towards being safe and not sorry. If you shared your CC with PSN (it’s possible you may not have), you should probably get new cards. Granted, Sony does say the CC data was encrypted. So ultimately, it is up to you if you want to take the chance.
3. Watch your credit information. There’s really nothing you can do about that fact that a lot of your PII data is out there. This is the same data bad guys use to setup fraudulent accounts in your name. Luckily, attackers didn’t get one crucial (at least in the US) piece of data; your social security number. Without this, they probably can’t setup financial accounts in your name. Nonetheless, you should still monitor your credit via your country’s credit agencies. You may even considering submitting a fraud alert or credit freeze, which will make it harder for attackers to create new accounts in your name.
4. Remain vigilant for follow-up attacks. Since the attackers didn’t get Social Security numbers, they don’t have all they need to totally steal your identity. However, they often follow up there sorts of attacks with other attacks (email phishing), trying to gather any additional info they need. Furthermore, they can often leverage the information they’ve already stolen to help trick you into trusting them. So remain vigilant against phishing and social engineering attacks, asking you for private info.

The last question that I’m sure is one everyone’s mind, is how did Sony actually get hacked. The short answer is, we don’t know yet. Sony’s not sharing. There has been a number of rumors, though:

• Geohot did it. This is the guy that hacked the Playstation 3′s DRM and copy protection. Sony sued him for it, and he settled the case (saying he’d leave Sony stuff alone). This guy’s smart enough to breach networks, but I’m pretty sure he didn’t go after PSN, mostly after settling with Sony. So I doubt this is the case.
• “Anonymous” did it. Anonymous is that random group of hackers that went after HBGary. They also sided with Geohot during the PS3 hacking case, and likely launched DDoS attacks against Sony in early April. However, they claim they had nothing to do with this breach. I tend to believe it as Anonymous tends to stick more with headline grabbing stunts, than these highly illegal, malicious breaches. That said, some solo-Anonymous hackers may have acted alone.
• The attack is the result of a custom PS3 firmware (called Rebirth). When Geohot hacked the PS3 DRM, he made it possible for homebrew coders (and pirates) to load their own modified firmware onto the PS3. These modification could allow playstation users to do all sorts of cool things that Sony didn’t originally intend the PS3 to do. However, some of the latest custom firmwares coming out of the PS3 “scene” included modifications that would allow hacked PS3 to regain access to PSN, or worse, the PSN developer network. One of those firmwares was called Rebirth. Due to the timing of Rebirth’s release, and some of it’s features, some people suspect it has something to do with how the PSN attackers were able to breach Sony’s PSN  network. In fact, it seems very likely that the modified firmware was at least used to fraudulently download PSN games without valid CCs. Of the rumors presented, this one seems most possible to me. That said, the creators of Rebirth have claimed they weren’t responsible either. However, they admit users have found interesting ways to use their firmware.

Besides those rumors, other experts have shared their own guesses about how this breach might have happened. For instance, one mentioned that it could have been a spear-phishing email, that got malware on an administrator’s computer. That guess is as good as any. After all, that’s basically how the Aurora attackers got into Google — it’s certainly possible.  Yet, it’s still just a guess. Until Sony, or someone else, shares the real story, all we can do is wonder.

Not  knowing exactly how the breach happened, makes it harder to give you a specific defense that can help prevent this from happening to you, but that’s where good ‘ole “Best Practices” come ins (something we also learned during the HBGary incident). Two things come to mind for me:

1. Defense-in-Depth. Security guys hear this so often that it stops feeling relevant. It still is. It’s simple math. The more defensive layers you build up — things like Firewalls, IPS, AV, application control, cloud reputation, etc. — the better statistical chance you have of detecting and blocking an attack. That is why WatchGuard created our XTM appliance. We want to make it as easy as possible to incorporate as many defenses as possible, in one easy to manage appliance, and to have a platform that allows you to evolve your defenses in the future. That said, when most people think “Defense-in-Depth,” they only think about the hard, preventive technology measures, such as the ones I’ve mentioned above. They don’t think as much about the softer security measures, such as visibility tools that may also help you recognize unusual incidents, like security breaches. When you are building your layers of defense, don’t forget to include products that offer visibility tools as well (we have great visibility tools, and plan to make them even better).
2. Focus your perimeter on your data center! One of my predictions for this year was that your perimeter will not go away. It will just shrink, harden, and focus on your data center. The huge increase in mobile workforce and technologies, has caused the security industry to largely focus on mobile security technologies — for good reason. However, just because you need mobile defenses, doesn’t mean you can tear down the walls around your castle. Instead, the huge increase in big data breaches, like this PSN incident, has shown that we need strong, evolving perimeter defenses around our data centers, today more than ever. Your perimeter shouldn’t only protect your data center from the world, but also from your own workforce. Based on what Sony’s doing to improve their PSN security, it sounds like they now agree with my prediction.

This PSN data breach will surely have resounding affects on network security for years to come. I wouldn’t be surprised to see it cause PCI changes, trigger politicians to suggest new laws, and result in new business regulations. I will continue to follow the story and post any interesting new details I find. –  Corey Nachreiner, CISSP. (@SecAdept)

—

Find more on the Watchguard Security Center blog…

Homeland Secure IT is a WatchGuard partner offering sales, service, support and consultation in Greenville & Upstate, SC. If you would like more information about WatchGuard products, please call 864.990.4748 or email info@homelandsecureit.com

The following blog post is from the WatchGuard Security Center, posted by Chris McKie….

“Whenever industry fails to self-regulate, government will fill the void with legislation.” You can quote me on that.

Currently, the security industry fights a war on many fronts. On one end of the spectrum, we have industry regulations, such as PCI DSS, which helps mandate how credit card/payment card information is secured. On the other end, we have government regulations, such as CIPA (Children’s Internet Protection Act) or HIPAA (Health Insurance Portability and Accounting Act), which regulate data protection for schools, libraries and health care providers.

Now, we face one of the largest government acts of its kind, the “KerryDraft – Privacy Bill of Rights.” Although it is not law now, should it become law, businesses and consumers will see broad and sweeping changes to how consumer data is managed and protected.

Here are the key tenets of the Privacy Bill of Rights:

• Right to Security and Accountability
• Right to Notice and Individual Participation
• Right to Purpose Specification; Data Minimization; Constraints on Distribution; Data Integrity
• Voluntary Enforceable Codes of Conduct Safe Harbor Programs
• Co-Regulatory Safe Harbor Programs
• Application with other Federal Laws
• Development of Commerce Data Privacy Policy in the Department of Commerce

Obviously, this is a lot to digest for businesses and consumers. Here, I will break these points out in greater detail and provide in-depth analysis and commentary so that you can better understand the impact of this Act.

A year ago, Senators Kerry and McCain would have faced an uphill battle in pushing this legislation forward, but given the latest high-profile security fumbles (need I say Epsilon?), it follows that this Act may very well become the next big regulatory change for the industry. Stay tuned!

—

How do YOU feel about this? Go over to the WatchGuard blog and read this article and any follow-ups that may be made: http://watchguardsecuritycenter.com/2011/04/12/the-%E2%80%9Cprivacy-bill-of-rights%E2%80%9D-%E2%80%93-a-watchguard-perspective/#comment-333

I for one do not find this to be a step in the right direction.

Homeland Secure IT Alert

Homeland Secure IT Alert for Wednesday, March 23, 2011

Adobe has released out-of-cycle updates earlier this week that affect Flash Player, Reader and Acrobat across many platforms such as Apple Mac OS X, Microsoft Windows, Android and Chrome… Here is the summary from the WatchGuard Security Center:

Severity: High

21 March, 2011

Summary:

• These vulnerabilities affects: Recent versions of Adobe Reader, Acrobat,  and Flash Player
• How an attacker exploits it: In various ways, but most commonly by enticing your users into visiting a website containing malicious Flash or Reader content
• Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
• What to do: If you use these popular Adobe products, you should download and install their various updates as soon as possible.

Exposure:

Typically, Adobe’s quarterly Patch Day falls on the same Tuesday as Microsoft Patch Day (the second Tuesday of the month). However, a recent zero day Flash exploit circulating in the wild has encouraged Adobe to release a few out-of-cycle patches early. Today, Adobe released two security bulletins that fix a  zero day Flash vulnerability in Reader, Acrobat, and Flash Player, running on all platforms (including Android).

Though the two bulletins affect different software, they both fix the same core Flash related vulnerability that we described in our earlier WatchGuard Security Center post. As usual, Adobe doesn’t describe this zero day flaw in any technical detail. However, they do mention that the flaw lies within the authplay.dll component, which all three vulnerable products use. By enticing one of your users to visit a web site or download a PDF file containing malicious flash content, an attacker could leverage this flaw to execute code with that users privileges. If your users have administrative or root privileges on the victim platform, the attacker would gain complete control.

As was the case during our first post, attackers have been exploiting this flaw in the wild (even before Adobe knew it existed). If you use the affected software (as most users do), we highly recommend you install Adobe’s updates immediately.

For more details about these update, see Adobe’s bulletins below:

• APSB11-05: March 2011 Flash Player Update
• APSB11-06 : March 2011 Reader and Acrobat Update

Solution Path:

Adobe has released Reader, Acrobat, and Flash Player updates to fix this flaw. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you. Note: Adobe has not yet released a Reader X update for this vulnerability, since Reader X’s default sand-boxing technology should protect you from this flaw by default.That said, we do expect a Reader X update at a later date.

• APSB11-05:
  • Flash Player 10.2.153.1
  • Flash Player 10.2.156.12 for Android <= (link only works from Android phone)
  • Google Chrome (w/Flash 10.2.154.25)
  • AIR 2.6
• APSB11-06:
  • Adobe Reader
  • For Windows
  • For Mac
    • Adobe Acrobat
    • Standard and Pro for Windows
    • Pro Extended for Windows
    • Pro for Mac

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading certain types of files via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of some of these vulnerabilities by blocking various Adobe-related files using your Firebox’s proxy services. Such files include, .PDF, .SWF, .DIR, .DCR, and .FLV. That said, many websites rely on these files to display interactive content. Blocking them could prevent some sites from working properly. Furthermore, many businesses rely on PDF files to share documents. Blocking them would affect legitimate files as well. For that reason, we recommend the updates above instead.

Nonetheless, if you choose to block some Adobe files, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block files by their file extensions:

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy
• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Adobe has released updates to fix these vulnerabilities.

References:

• Adobe Flash Player Security Bulletin
• Adobe Reader Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

—

If you require assistance with these or any other computer service related issues in Greenville or Upstate SC, please call 864.990.4748 or email info@homelandsecureit.com – We are WatchGuard partners and offer sales and support of their fine line of security appliances to help protect your network!

Homeland Secure IT Alert

Homeland Secure IT Alert

Homeland Secure IT Alert for Tuesday, March 22, 2011

Apple Mac OS X owners will be happy to know that they have not been forgotten and that 57 vulnerabilities that affect all current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard) are addressed in this major security update.

A total of 26 components that ship as a part of OS X and OS X Server, including five for Quicktime, ClamAV and Apache are affected.  In short, there exists many code execution vulnerabilities, Denial of Service (DoS) & cross-site scripting flaws, as well as information disclosure issues which this update will help protect you from. Suggested action – install all necessary updates as soon as possible, keep current anti-virus on your computer and avoid opening links and documents sent in email that you are not expecting.

Here’s the post from the WatchGuard site:

WATCHGUARD SECURITY ANNOUNCEMENT:

Summary:

• These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
• How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various documents or images
• Impact: Various results; in the worst case, an attacker executes code on your user’s computer
• What to do: OS X administrators should download, test and install OS X 10.6.7 or Security Update 2011-001 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 57 (number based on CVE-IDs) security issues in 26 components that ship as part of OS X or OS X Server, including Apache, Quicktime, and ClamAV. Some of the fixed vulnerabilities include:

• Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from various security vulnerabilities involving the way it handles certain types of image files (such as a buffer overflow vulnerabilities). Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include JEPG, TIFF, and XBM.
• Many ATS Vulnerabilities. The Apple Type Service (ATS) helps OS X machines handle fonts. ATS suffers from various memory related vulnerabilities having to do with the way it handles certain types of embedded fonts. By tricking one of your users into downloading and viewing a malicious document containing a specially crafted font, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges.
• Five Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from five security issues (number based on CVE-IDs) involving how it handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, cross-site scripting (XSS) vulnerabilities, and information disclosure flaws. Components patched by this security update include:

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

On a related note, Apple has released many security updates in the last few weeks. Besides the Java update we alerted about early this month, Apple has also posted the following security-related product updates:

• Apple TV 4.2
• Safari 5.0.4 forOS X and Windows
• iOS 4.3 for iPhone, iPad, and iPod

If you use any of those products, we recommend you update them as well, or let Apple’s automatic Software Updater do it for you.

Solution Path:

Apple has released OS X Security Update 2011-001 and OS X 10.6.7 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

• Security Update 2011-001 (Leopard)
• Security Update 2011-001 (Leopard Server)
• OS X 10.6.7 Update
• OS X 10.6.7 Update for early 2011 Macbook Pro
• OSX Server 10.6.7 Update
• OS X 10.6.7 Update Combo
• OSX Server 10.6.7 Update Combo

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

• March 2011 OS X 10.5x and 10.6.x Security Update

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

—

If you require assistance with these updates or any others on your Apple Mac OS X system, Microsoft Windows workstation or server or have any other network computer security questions or issues in the Greenville, Upstate SC area, please call 864.990.4748 or email info@homelandsecureit.com

Homeland Secure IT Alert

Something that many people don’t know is that there are actually expiration dates on hardware and software.

Let’s say you buy a Cisco ASA 5505 security appliance (firewall) for your business, and you keep it up to date. When do you expect to replace it? Chances are, you feel that the firewall should be left in place until it dies of old age or fails due to some other event like a power surge or lightning strike, etc.

That is exactly what an attacker hopes for, that you will “set it and forget it”. See, each security product receives many updates over the course of its life. The manufacturer finds security holes and produces patches to those vulnerabilities that must be installed, just like on your Microsoft Windows or Apple Mac OS. If you do not apply those patches, you run the risk of a security breach due to an attacker exploiting a known “hole” in a device.

So back to this “expiration date”. Each product actually has an “end of life”, and that is the date that the manufacturer will no longer support it. That comes in many flavors. It may be an end of sales cycle, or a complete end of support. Products that reach the end of life and are no longer updated are the prime targets of attackers.

Manufacturers have to leave behind old hardware because of changes in the firmware technology which could require additional processor or RAM capabilities, far beyond what your 5 year old firewall may have.

If you have an older piece of hardware, you may want to see if it is at its end of life, and at the very least ensure that the latest patches / updates from the manufacturer are installed.

Should you require assistance with this in Greenville or Upstate SC, please call us! We support all common brands of security firewall appliances and we are partners and dealers for Cisco, WatchGuard, SonicWALL and more!

864.990.4748 or email info@homelandsecureit.com

About a week ago (03-02-2011), Mozilla released Firefox update 3.6.14 designed to patch a number of security issues, then they turned around and released Mozilla Firefox 3.6.15 designed to correct a Java bug that presumably introduced in the 3.6.14 update.

The Java applet loading bug does not appear to create new security vulnerabilities, so you should be secure if you updated to 3.6.14, but I do not believe I would hesitate to update to the latest, just in case. Just to be clear, this does affect both Microsoft Windows and Apple Mac users.

This information comes courtesy of the WatchGuard security forum…  Here’s a quote from that posting about upgraded to Firefox 4 BETA:

On the subject of Firefox, if you’re an adventurous user who likes to adopt the latest and greatest as early as possibly, you might want to give Firefox 4 BETA a whirl. I’ve downloaded it myself, and it seems to have sped up my browsing experience a bit. Mozilla also ensures that the latest BETA contain the same security fixes as 3.6.15. - Corey Nachreiner, CISSP

Homeland Secure IT is your Greenville / Upstate, SC WatchGuard Partner, offering sales, service & support! Please call 864.990.4748 or email info@homelandsecureit.com if you require assistance with network or computer service or security…