Go ahead and poo poo the overdone marketing of the Badlock vulnerability. With its fire-engine-red logo and a dedicated website that went live more than a month before the release of any patches, claims the risk was shamelessly hyped are justified. That said, Badlock represents a real and critical threat to virtually any organization that maintains a Microsoft network. Administrators who don't patch right away fail to do so at their own peril.

In a nutshell, Badlock refers to a defect in a security component contained in just about every version of the Windows and Linux operating systems. Known as the Distributed Computing Environment/Remote Procedure Call (DCE/RPC), it's used by administrators around the world to access the most valuable asset on any Windows network—the Active Directory, which acts as a network's digital security guard, allowing, for instance, an organization's CFO to log in to an accounting server, while locking out the janitor or the groundskeeper. Because Active Directories enforce security policies and contain password data and other crucial credentials, they are almost always the first asset hackers access once they gain a limited foothold into a targeted network.

By design, DCE/RPC is able to use a cryptographic system to protect connections between an admin's remote computer and the server running the Active Directory. In many ways, the system is analogous to the transport layer security protocol that protects connections between end users and the websites they visit. DCE/RPC ensures that parties are who they claim to be. It can also encrypt the data traveling between the parties. That way, anyone who happens to have access to the same corporate network—say, a rogue janitor or groundskeeper employed by the same organization—can't monitor or modify the crucial information inside the Active Directory.

Read 5 remaining paragraphs | Comments



That 'Badlock' Bug Is More Hype Than Hurt
Like a trailer for a blockbuster film, a PR campaign advertising the mysterious “Badlock” bug three weeks ago had computer security experts alternately mocking the company behind the campaign, as well as marking the date on their calendars for when the ...

and more »

"From the headquarters which will get expired in next 24 working hours." (credit: Ray Tsang)

As if political campaigns, shady telemarketers hawking home security systems, and the rest of the usual suspects aren't generating enough automated phone calls, three separate groups have used April tax paranoia to fuel fraudulent robocalls claiming to be affiliated with the Internal Revenue Service. Using calls masked by US phone numbers, these fraud campaigns seek to get anxious taxpayers to fall for their schemes by claiming to be directly from the IRS or from organizations seeking to collect on the IRS' behalf. The scams hit millions of phone numbers over the past few weeks.

Thanks to voice-over-IP technologies and cheap robocall systems, fly-by-night telemarketing operators are able to flaunt "Do Not Call" list laws and saturate blocks of numbers with calls that push products both real and fake. Ars hunted down one scam last year that used an outbound voice response system that attempted to convince call recipients that they were talking to an actual person, funneling them toward a fake magazine sweepstakes scam.

The Federal Trade Commission has been searching for technology to help fight robocalls for years. There have been some promising technologies developed to help fight them, such as Robokiller—a cloud service that won last year's FTC "Robocalls: Humanity Strikes Back" contest—but those technologies have thus far failed to materialize in a form that can help the average consumer. Robokiller's development went on hiatus late last year as the team behind it was pulled into other projects.

Read 6 remaining paragraphs | Comments

CAM UnZip v5.1 Archive Directory Traversal
.NET Framework 4.6 allows side loading of Windows API Set DLL

Among todays Patches, here is my personal patch ranking by order of urgency:

  1. MS16-050: This is essentially Fridays out of band Adobe Flash patch. Adobe stated that it is already used to spread ransom ware. So dont wait on this one.
  2. MS16-039: Exploits are available for two of the vulnerabilities, and it is no user interaction arbitrary code execution. This is the second one you should patch fast.
  3. MS16-037/38: This time, the Internet Explorer patch only fixes 6 vulnerabilities. But still, due to the large attack surface, browser vulnerabilities always need to be taken seriously.
  4. MS16-042: Code execution without user interaction in MSFT office will always find someone to write an exploit.
  5. MS16-040: Another large attack surface (XML Core Services) vulnerability. Exploitability is only rated as 2 however.
  6. MS16-041: This one is a bit tricky to pin down, but I rate it right after the XML Core Services due to the large attack surface (and a bit lower as it requires user interaction)
  7. MS16-044: Wasnt sure if I should rate this above 41 or not. I rated it lower in the end as it does require user interaction.
  8. MS16-045: Only affects HyperV and the attacker needs to already have some access

No strong preferences on the rest. Did anybody else notice that MS14-043 is missing?

Full patch summary:https://isc.sans.edu/mspatchdays.html?viewday=2016-04-12

If you dont like the layout, here is the API to make your own:https://isc.sans.edu/api/getmspatchday/2016-04-12

(or if you prefer jsonhttps://isc.sans.edu/api/getmspatchday/2016-04-12?json )

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today, Microsoft and the SAMBA team jointly released a fix for CVE-2016-2118 , a vulnerability also known as BadLock. While a man in the middle and DoS vulnerability may not quite be the type of vulnerability everybody was waiting for, it should still be taken seriously and patched.

You are of course the most at risk if you are allowing SMB traffic over un-trusted networks, which has always been a bad idea. Exploitation of a man-in-the-middle vulnerability does require that the attacker is able to intercept traffic. The use of a VPN would prevent exploitation.

What to tell your Boss/Spouse/Parent

Due to the hype associated with this vulnerability, you will likely get a lot of questions about it. Overall, nothing fundamentally changed:

  • Patch as you get to it, but no reason to rush this one
  • Do not use SMB over networks you dont trust
  • Firewall SMB inbound and outbound
  • If you need to connect to remote file shares, do so over a VPN.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Open redirect on Google.com

LockPath Announces Expansion of Patented Dynamic Content Framework in Keylight 4.4
EIN News (press release)
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to ...


Confer Opens New Office to Accommodate Rapid Growth
PR Newswire (press release)
Confer was recognized as a Leader in Endpoint Security at RSA Conference by Cyber Defense Magazine Infosec Awards, and won Gold and Silver Product and Startup of the Year Awards at the 2016 Info Security Product Guide's Global Excellence Awards®.

and more »
Wordpress Robo Gallery v2.0.14 - Code Execution Vulnerability
[SECURITY] [DSA 3485-2] didiwiki security update

Security Intelligence (blog)

Critically Overconfident? Execs Double Down on Total Threat Detection
Security Intelligence (blog)
Solving this problem requires a two-fold effort: InfoSec professionals need to get better at clearly articulating threats to non-IT staff, and C-suite members need to ask for the gritty details rather than spit-polished overviews. The bottom line for ...


MarTech Advisor

Adobe Releases Emergency Flash Update to Combat Ransomware Attacks
MarTech Advisor
The bug in Flash Player was discovered by the researchers at Infosec and Trend Micro Inc. The vulnerability affected Flash Player versions for all the platforms – Windows, Mac, Chrome and even Linux – leaving more than a billion customers of Adobe ...

and more »
Internet Storm Center Infocon Status