MOREnet Security News Review -- February 10 - 14, 2014
CURRENT THREAT ACTIVITY REPORT
Over the last several weeks MOREnet Security has received numerous complaints for IP Addresses of devices on the MOREnet Network that are being used in Denial of Service attacks. The most recent complaints involve NTP. Network Time Protocol runs over UDP port 123 and is one of those “forgettable” protocols because it is typically configured once and then left alone. Unfortunately that means that upgrades aren’t performed on a regular basis which leaves it vulnerable to being used in an attack. NTP attacks are very similar to DNS amplification attacks. The attacker sends a small packet with a spoofed source IP requesting a large amount of data which is then sent to the Targeted Address. The NTP request is made using the monlist command. Monlist, a remote command available in older versions, sends the requestor (in an attack this will be the Target IP) a list of the last 600 hosts who have connected to that particular NTP server. The easiest way to secure NTP is to either disable the monlist functionality or update NTP to version 4.2.7 which by default does not enable the command. The following links provide additional information about the risks associated with NTP and things you can do to make it more secure. If you have questions or would like assistance, please don’t hesitate to call MOREnet Security.
US-CERT Alert (TA14-013A) NTP Amplification Attacks Using CVE-2013-5211
Technical Details Behind a 400Gbps NTP Amplification DDoS Attack
Don’t be a DDoS dummy: Patch your NTP servers, plead infosec bods
NTP-based DDoS attacks a concern, says Cloudflare
Understanding and mitigating NTP-based DDoS attacks
WEEKLY THREAT RESOURCE SITE
KNOW YOUR ENEMY – THREAT ID OF THE WEEK
Forgotten or Unused Services – Sometimes we can end up being our own worst enemy… If you’re a system or network administrator, how often do you audit the services running on the devices you manage? Are they all necessary? Are they all patched? With the increase in attacks using older and/or often “forgotten” protocols, i.e. NTP-UDP port 123, DNS-UDP port 53, Chargen-UDP port 19, now would be a good time to take a look at your devices to make sure they’re running only what you need and the software is up-to-date.
TOP HEADLINES THIS WEEK
New IE Zero-Day Found in Watering Hole Attack
Facebook: At least 67 million accounts are fake
Multifactor authentication extended to all Office 365 users
A Quarter of Parents Fear Their Children Have Been Exposed to Cyberthreats in Past Year
CloudFlare Infrastructure Hit With 400Gbs NTP-Based DDoS Attack
How old data can come back to haunt you
Compromised Snapchat accounts sending out spam
Fake “Track Shipments/FedEX” Emails Used to Distribute Malware
Fake SSL certificates deployed across the internet
Security Implications of Ipv6 on Ipv4 Networks
New Paper: Defending Data on iOS 7
VULNERABILITIES AND PATCHES
Microsoft Security Bulletin Summary for February 2014
US-CERT Vulnerability Summary for the Week of February 3, 2014
Security update available for Adobe Shockwave Player
SYM14-004 Symantec Endpoint Protection Management Vulnerabilities
Sysinternals Process Explorer v16.01 NOTE: Newest version includes Virus Total Integration
Building Global Trust Online Volume 3: Policymaker Guide to Security, Privacy, and Safety
Linkz 4 Mostly Malware Related Tools
Secure Coding Guide
Fireword Online Password Generator
Good Net Neighbor Phase I – In an effort to proactively reduce the number of security incidents caused by viruses and scanning, MOREnet offers a Good Net Neighbor Service to MOREnet customers. This is a low-risk, volunteer-based, no-cost service. Level One of the Good Net Neighbor Service will implement access control lists to block Windows Networking ports (TCP/UDP ports 135, 137, 138, 139 and 445). These ports are sometimes used by worms and viruses to scan, discover and infect other computers through the Internet. Check out the following link for more information on features, technical requirements, and support. http://www.more.net/services/good-net-neighbor-phase-1
UPCOMING TRAINING AND EVENTS
- Social Media Series Part 2, Understanding the Privacy Settings of Popular Social Media Sites– Wednesday February 19, 2014 – Online Webinar. Even if you understand the risks associated with social media, which settings are best and how do you find them on each site? This webinar will focus primarily on Facebook privacy settings, but will include references to many other social media sites. Click here to register for this event.
- SANS SEC464: Hacker Guard: Security Baseline Training for IT Administrators and Operations with Continuing Education – Tuesday, February 25 – Wednesday, February 26, 2014, MOREnet, Columbia, MO -- This educational program gives IT admins the tools and techniques to illuminate evidence of potentially malicious activity on their systems and to look deeper to determine whether the problems they see are real. It allows them to become the hacker guards for malicious activity in their organization. It uses hands-on exercises to ensure they are comfortable using the tools. MOREnet members are eligible for a price of $1200. Last day to register is Friday, 2/14/2014. Click here for registration information.
- Social Media Series Part 3, Understanding the Privacy Settings of Popular Devices Media – Wednesday March 5, 2014 – Online Webinar – So your social media websites are locked down, but are all settings enforced the same if the device isn’t secured? Join us for a discussion of device settings to review to protect yourself from social media and other apps. Click here to register for this event.
- Introduction to Windows 2008 Server Administration – Monday, March 24, – Tuesday, March 25, 2014 – MOREnet, Columbia, MO -- Designed to build a foundation in basic server administration, this class introduces students to many of Windows Server 2008 features. The class includes extensive exercises which reinforce Microsoft Windows Server 2008 network administration skills as they are learned. Click here to register for this event
- Introduction to Windows 2008 DNS, DHCP and CSVde – Wednesday, March 26, 2014 – MOREnet, Columbia, MO -- This course is designed to provide a foundation for understanding both Domain Name System and Dynamic Host Configuration Protocol. Students will install and configure these services for automated IP communications. At the end of the day the students will also use the bulk user import utility CSVde. Students must have taken Intro to Windows 2008 server to attend. Click here to register for this event
- Windows 2008 Group Policy – Thursday, March 27, 2014 – MOREnet, Columbia, MO -- This class is designed to allow students to centrally manage workstations and servers with Group Policy Objects (GPOs) within a Windows Active Directory domain. In class we will start at the beginning with defining what Group Policy is and what can be accomplished by using Group Policies within your organization. We will create simple group policies and test their effectiveness on a windows 7machine. We will explore some advanced Group Policy subjects such as redirecting user data and folders, deploying software and finish with using Group Policy Preferences to Map Drives and clean out folders. Click here to register for this event
Do you know of any upcoming security-related training events? Please send them to email@example.com for inclusion in this newsletter!
SECURITY AWARENESS TIP OF THE WEEK
Tuesday, February 11th was Safer Internet Day. Check out the following links to for information on what you can do to stay safe every day.
Safer Internet Day 2014
Safer Internet Day: don’t be an online sheep – our Top 10 Tips help you think before you act
Tips for safer browsing on Safer Internet Day
Microsoft Safety & Security Center -- Safer Internet Day
Let’s create a Better Internet together