In this edition, we will be looking at:
New stock in this week
Product Review Windows server - 2008 R2 standard edition
The WannaCry scramble
Are travel WI-Fi routers secure?
Stock in hand
Product Review of Windows serve - 2008 R2 standard edition
Standard Server is considered the entry-level version of Windows Sever 2008 (if there is such a thing as "entry-level" with server platforms). It is suitable for smaller businesses and organizations ("smaller" meaning users in the hundreds, not thousands, although multiple standard servers in a tree or trees would certainly accommodate even the largest of companies).
Standard Server supplies all the features discussed in this hour, including Hyper-V virtualization, and IIS7. It also provides for Network Address Translation and multihomed servers (servers with more than one network interface) that allow multiple network clients to share the same Internet connection in a small business setting.
Standard Server supports multiple processors (four cores on both x86 and x64 systems) and up to 4GB of RAM on an x86-based server and 32GB of RAM on an X64-based server. Standard Server provides a maximum of 250 Remote Access connections and 250 Terminal Services connections.
Some of the best features of the system include:
Role-based installation – allows you to simply specify the role the server is to play and installing only what's necessary
Read Only Domain Controllers (RODC)
Enhanced terminal services
Network Access Protection
All the versions of Windows Server 2008, except for the Web Edition, include the Hyper-V virtualization platform, although buyers of the standard edition could opt out of the Hyper-V virtualization platform if they wished.
The WannaCry scramble
A couple of weeks ago, possibly every security manager in the world was dealing with the repercussions of WannaCry (WannaCrypt), a ransomware worm that screamed across the internet and flooded the media. IT and security departments, placed on high alert, had to scramble — whether or not any of their systems had been infected. I was no exception.
WannaCry emerged after a hacking group named Shadow Brokers leaked a number of exploits and data related to previously undisclosed vulnerabilities in various technologies, including Microsoft Windows. One of the leaked exploits was modified and subsequently given a variety of names, the most prevalent of which was WannaCry. This malware features some nasty functionality. Not only does it encrypt data on hard drives and demand a ransom for the decryption key, but it also attempts to propagate via a previous known vulnerability in Windows’ Server Message Block (SMB) protocol.
Although Microsoft had issued a patch for this vulnerability, it hadn’t been implemented on thousands of PCs, for various reasons. Among those reasons was that many of them still run on outdated Windows OSs that are no longer recipients of free-of-charge support — and many users decided against paying for support. WannaCry could have been much more devastating than it was — and it was very disruptive, affecting hospitals and other health services in disproportionate numbers — if not for a “kill switch” that the malware author included in the code. There are various schools of thought as to why this kill switch existed, but the consensus is that the author wanted a way to stop the malware from propagating. The method was to register an obscure web domain. As long as the domain didn’t resolve to anything, the malware would continue to propagate and infect vulnerable devices. But a security researcher discovered the kill switch and registered the domain, which stopped the malware.
In the end, something like 200,000 devices (that we know of) were impacted.
And so, like many security professionals and IT departments, I was scrambling. Improved variants of WannaCry have already emerged, and I wanted to get ahead of the game, as well as determine whether there had been any impact to my organization. My first step was to ensure that all of my company’s PCs and servers were up to date with patches and had the most current endpoint protection installed and running. I also wanted to make sure that every device was being backed up, that the backups were occurring on a daily basis and that there was a current backup available.As for the patches, it wasn’t enough that they had been installed, since patches can be installed but not able to actively protect a device because there has been no reboot. I made sure that any PC or server that had a patch pending was forced to reboot.
There was a problem, however: the PCs of remote employees. Our systems management tool, which checks patch status, is installed on our internal network. We have no patch visibility and control over PCs in the field unless the user VPNs into the office. Because there typically isn’t any need for remote PC users to VPN, since most of our corporate apps are SaaS-based, chances were good that we hadn’t been able to push polices and get reports on the patch status of hundreds of PCs.This, then, was a rare case when I felt I needed to be a big foot. I had the IT department instruct managers to mandate that all of their workers either connect to the VPN or send screenshots to verify that their PC was up to date with patches. I don’t like to be a burden on the IT department or to issue mandates, but the danger to our operations made it necessary — the alternative would have been even more of a burden.
Meanwhile, we were already in the process of identifying a systems management tool that is cloud-based so that we can avoid this problem in the future. Other things such as endpoint protection and backup are already cloud-based and are therefore freed from the need of PCs being attached to our network, so it was easy to check on compliance with malware protection and backups.I also obtained indicators from some trusted internet sources and monitored our intrusion detection sensors for any traffic that would be indicative of an infected machine. So far so good.
My next course of action was to send an email summarizing the details of WannaCry and strongly urging employees to be on the lookout for phishing attempts, spam, suspicious links on social media sites, unverified software, etc., and to be diligent in not clicking or installing untrusted links or software. I emphasized that I wasn’t just talking about corporate devices, applications and email, but about personal devices as well. I also reminded employees of several of my security guiding principles, including that we are only as strong as our weakest link and that employees have a responsibility in the security of our company and its customers.I hope they take those words to heart.
Problem summary: The WannaCry ransomware outbreak was cause for concern even at companies not immediately affected.
Action plan: Make sure that every device, including remote PCs, is patched, has antivirus protection and is backed up, and remind all employees that they play a big role in keeping the company safe.
Are travel Wi-Fi routers secure?
At a recent Kaspersky Lab’s Security Analyst Summit there was a lot of cool research that made you think. Although a lot of talks centered on deep APT research and threats to businesses, there were a few sessions where consumer security was shown to be at risk as well.
One such talk was given by Jan Hoersch, an IT security consultant at Securai GmbH, on vulnerabilities he had discovered in connected Internet of Things (IoT) devices. During the 20-minute talk, four out of seven of the most flawed products mentioned were travel routers.
We have written about hotel Wi-Fi before. It is not always 100% secure, so smart travelers use a travel router to get an additional layer of security as well as the convenience of not having to hook up all of their devices to the hotel’s Wi-Fi network.
Travel routers mainly get positive, even glowing, reviews on sites like Amazon, but you’ll rarely find the word security mentioned in the reviews.
To consumers, it seems, convenience has a far greater appeal than being safe and secure. Who cares if your devices are pwned when you can stream Netflix despite the hotel blocking it?
Putting the last sarcastic comment aside, the sad reality (as, again, we have covered in the past) is that security is not the number one priority when it comes to launching an IoT product.
With the routers, Hoersch told the crowd, “You often find hardcoded passwords. Most of the time they’re just there to be exploited, like a backdoor.”
What exploits did he find?
For starters, one of the routers could send across user data (user name, SSID, admin password) in plaintext — all an attacker would have to do is send an SMS message to the router and wait for the info to be sent back. Others included LAN port vulnerabilities, easily manipulated settings, and also the ability to inject malicious, unauthenticated commands. In short, things you probably don’t want snooping around your Web traffic or connected to your computer.
The question remains: What can I do to protect myself?
Do your research. This does not mean simply reading reviews on Amazon for end-user reviews. Go to technology sites and read the technical details or Google the device and security flaws.
Check if you can change the default password. Add this to your research phase or at least investigate it when you initially set up the device. As Hoersch noted in his talk, many devices have hardcoded passwords. If you find this to be the case with your device, see point #3 and think about reassessing the purchase and options for exchange.
Determine your risk level. This will be different for each user, but in reality security is up to the individual. If you feel that your antivirus product and your personal security protocol are strong, you may be willing to take a higher risk. However, if you use Password1234 as your default or share your password across multiple networks, you may want to reassess (and think about a password manager).