RB | Bach Seat - Part 57

Archive for RB

RB | June 17, 2019

Comments Off

Is Yuzo on Your WordPress site?

I am still busy unpacking and re-arranging the furniture at the new home of Bach Seat. One of the nicer things about my new host is that I can now get WordPress alerts. And I have been getting a ton of alerts from the firewall that it blocked “yuzo-related” attack attempts. So I decided to see WTF “yuzo-related” attack attempts were about and found an excellent explanation on the WordFence site.

60,000 WordPress websites

Dan Moen at WordFence explains that the Yuzo Related Posts (YRP) plugin for WordPress has an unpatched vulnerability that was publicly disclosed by a security researcher on March 30, 2019. The flaw which allows stored cross-site scripting (XSS), is now being exploited in the wild. The buggy plugin is installed on over 60,000 websites and has been removed from the WordPress.org plugin directory.

WordFence recommends that all users remove the plugin from their sites immediately.

The blog’s author writes that the vulnerability in YRP stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below is the crux of the problem. There is more in-depth coding tech-talk at WordFence.

8 }elseif( is_admin() ){ // only admin

He says developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used.

Injects malicious JavaScript

The result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.

As evidenced by the number of probes against my site, threat actors have begun exploiting sites with YRP installed. The exploits in the wild inject malicious JavaScript. When a visitor lands on a compromised website containing the malicious payload, they will be redirected to malicious tech support scam pages – like this example:

The WordFence analysis shows that the attempts to exploit this vulnerability in YRP share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.

The security researchers found all three campaigns so far have used these exploits:

A malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53.
Involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects.

WordFence is confident that the tactics, techniques and procedures in all three attacks point to a common threat actor.

WordFence recommends WordPress Site owners running the Yuzo Related Posts remove it from their sites immediately, at least until a fix has been published by the author.

rb-

What to do?

- Keep your WordPress and plugins up to date.
- Do you really need Yuzo Related Posts? Here is a list of alternatives from WordPress.
- Make sure you have good backups of your WordPress site – and you can restore it.
- Get a firewall on your WordPress site
- Block the IP 176.123.9[.]53. From your site.
- Harden your WordPress site.

WordPress plugin sees second serious security bug in six weeks (Naked Security)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2019, administrative privileges, JavaScript, Malware, Security, Social engineering, Wordpress, XSS, Yuzo

RB | June 9, 2019

Comments Off

Password Reset Practices “Obsolete”

Followers of the Bach Seat know that passwords suck. And now Microsoft (MSFT) has joined me in that revelation. The boys in Redmond recently recommended that organizations no longer force employees to change their password every 60 days.

In a TechNet blog penned by Aaron Margosis, a principal consultant for Microsoft, the company called the practice – once a cornerstone of enterprise identity management – “ancient and obsolete” as it told IT, administrators, that other approaches are much more effective in keeping users safe.

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value

In the latest security configuration baseline for Windows 10, which allows administrators to use Microsoft-recommended GPO baselines for improving the overall security posture of a system and reduce a Windows 10 machine’s attack surface, “May 2019 Update” (1903) – (available as a ZIP file for download here) Microsoft dropped the idea that passwords should be frequently changed. Previous baselines had advised enterprises to mandate a password change every 60 days. (And that was down from an earlier 90 days.)

Mr. Margosis acknowledged that policies to automatically expire passwords – and other group policies that set security standards – are often misguided. He wrote,

The small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management … Better practices, however, cannot be expressed by a set value in a group policy and coded into a template.

Among those other, better practices, Mr. Margosis mentioned multi-factor authentication – also known as two-factor authentication – and banning weak, vulnerable, easily guessed, or frequently revealed passwords.

ComputerWorld points out that Microsoft is not the first to doubt the convention. The National Institute of Standards and Technology (NIST) made similar arguments as it downgraded regular password replacement. “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically),” NIST said in a FAQ that accompanied the June 2017 version of SP 800-63, “Digital Identity Guidelines,” using the term “memorized secrets” in place of “passwords.”

Then, the institute had explained why mandated password changes were a bad idea this way:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password.

Both the NIST and Microsoft urged organizations to require password resets when there is evidence that the passwords had been stolen or otherwise compromised. And if they haven’t been touched? “If a password is never stolen, there’s no need to expire it,” Microsoft’s Margosis said.

John Pescatore, the director of emerging security trends at the SANS Institute told ComputerWorld;

I agree 100% with Microsoft’s logic for enterprises, which are who uses [group policies] anyway … Forcing every employee to change passwords at some arbitrary period almost invariably causes more vulnerabilities to appear in the password reset process (because there are now frequent spikes of users forgetting their passwords) which increases risk more than the forced password reset ever decreases it.

Like Microsoft and NIST, SAN’s Pescatore thought periodic password resets are the hobgoblins of little minds, “Having [this] as part of the baseline makes it easier for security teams to claim compliance because auditors are happy,” Pescatore told ComputerWorld. “Focusing on password reset compliance was a huge part of all the money wasted on Sarbanes-Oxley audits 15 years ago. A great example of how compliance does not equal security.”

ComputerWorld notes other changes in the Windows 10 1903 draft baseline, Microsoft also dropped policies for the BitLocker drive encryption method and its cipher strength. The prior recommendation was to use the strongest available BitLocker encryption, but that, Microsoft said, was overkill: (“Our crypto experts tell us that there is no known danger of [128-bit encryption] being broken in the foreseeable future,” MSFT’s Margosis told ComputerWorld.) And it could easily degrade device performance.

Microsoft is also looking for feedback on a proposed change that would drop the forced disabling of Windows’ built-in Guest and Administrator accounts. Microsoft’s Margosis hedged a bit;

Removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled,”Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed.

rb-

We have covered this before, forcing users to change passwords over short time-frames inevitably leads to users choosing the simplest, most memorable, and most crackable passwords possible. Things have changed over the years, including technology that now enables threat actors to crack simplistic passwords easily.

MSFT is now actively pushing MFA in the enterprise so it is not surprising they are going away from this general password policy.

MSFT changing its security baselines won’t change requirements made by regulatory authorities (PCI-DSS, HIPAA, SOX, NERC) and auditors. It takes years and years for them to change.

The change does not affect home users – but maybe it will make them think?

Slowly the world of passwords is starting to come under control.

Systems administrators: You need to know about this Windows 10 1903 patching change (ZDnet)

Category: Uncategorized | Tags: 10, 1903, 2019, 800-63, Bitlocker, Compliance, Encryption, HIPAA, Microsoft, MSFT, NIST, Passwords, PCI-DSS, Security, SOX, Windows

RB | June 7, 2019

Comments Off

What is 5G ?

Updated 07/16/2019 – Qualcomm released the Snapdragon 855 Plus. It features a Kryo 486 CPU Prime core with a clock speed of 2.96 GHz and a 15% faster Adreno 640 GPU. Qualcomm claimed in a presser, the 855 Plus would deliver better coverage and all-day battery life in 5G devices.

—

AT&T (T), Verizon (VZ), Sprint (S), and other carriers are hyping 5G. But what exactly is 5G? If you believe the hype, it is the greatest thing since sliced bread. 5G will improve our homes, make our cities safer, our machines smarter, our cars driverless, our entertainment mobile and our phones faster. So what is the tech behind the hype?

When 5G really gets here will bring three improvements to current wireless: greater speed, lower latency, and more connections. The real advantages of 5G will come in massive capacity and lower latency. The standards bodies involved are aiming at 20Gbps speeds and 1ms latency.

Work on 5G started 10-15 years before anything went commercial. Marcus Weldon, CTO, and president of Nokia Bell Labs told FierceWireless. Finally, in 2017, the 3rd Generation Partnership Project, the standards body that writes the rules for wireless connectivity, agreed on the first specification for 5G. The Non-Standalone Specification of 5G New Radio standard covers 600 and 700 MHz bands and the 50 GHz millimeter-wave end of the spectrum. But, as followers of the Bach Seat know, a standard doesn’t mean that it will work the same, or what applications it will enable.

The G in this 5G means it’s a generation of wireless technology. PC Magazine says, most wireless generations have technically been defined by their data transmission speeds, each has also been marked by a break in encoding methods, or “air interfaces,” that make it incompatible with the previous generation. The earlier G’s were:

1G was analog cellular.
2G technologies, such as CDMA, GSM, and TDMA, were launched in 1991 the first generation of digital cellular technologies without much concern for data transmission or the mobile Web.
3G technologies, such as EVDO, HSPA, and UMTS, brought speeds from 200kbps to a few megabits per second. It focused on applications in voice telephony, mobile Internet, video calls, and mobile TV.
4G technologies, such as WiMAX and LTE, were the next incompatible leap forward, and they are now scaling up to hundreds of megabits and even gigabit-level speeds. 4G was designed to better support IP telephony, video conferencing, and cloud computing, as well as video streaming and online gaming.

The actual 5G radio system, known as 5G-NR, isn’t compatible with 4G. But for the foreseeable future, all US 5G devices will need 4G to set up 5G connections where it’s available. That’s technically known as a “non-standalone,” or NSA, network. Later 5G networks will become “standalone,” or SA, not requiring 4G coverage to work.

Like other cellular networks, 5G networks use a system of cell sites that divide their territory into sectors and send encoded data through radio waves according to PCMag. Each cell site requires a network backbone connection, whether through a wired or wireless backhaul connection. 5G networks use a type of encoding called OFDM.

5G is designed to carry higher speeds by using much larger channels than 4G. While most 4G channels are 20MHz, bonded together into up to 160MHz at a time, 5G channels can be up to 100MHz, with Verizon using as much as 800MHz at a time. That’s a much broader highway, but it also requires larger, clear blocks of airwaves than were available for 4G. PCMag cites Qualcomm (QCOM) claims that 5G will be able to boost capacity by four times over current systems by leveraging wider bandwidths and advanced antenna technologies.

5G primarily runs in two kinds of airwaves: below and above 6GHz. Low-frequency 5G networks, which use existing cellular and Wi-Fi bands, take advantage of more flexible encoding and bigger channel sizes to achieve speeds 25 to 50 percent better than LTE, according to a presentation by T-Mobile (TMUS) exec Karri Kuoppamaki.

Those networks can cover the same distances as existing cellular networks and generally won’t need more cell sites. Rural networks will likely be stuck with low-band 5G, because low-frequency bands have a great range from cell towers.

To get super-high, multi-gigabit speeds, carriers are turning to newer, much higher frequencies, known as millimeter wave (mmWave). In the existing cellular bands, only relatively narrow channels are available because that spectrum is so busy and heavily used. But up at 28GHz and 39GHz, there are big, broad swathes of spectrum available to create big channels for very high speeds.

The 28GHz and 39GHz bands have previously only been used for backhaul. But they haven’t been used for consumer devices before, because the handheld processing power and miniaturized antennas weren’t available. Millimeter wave signals also drop off faster with distance than lower-frequencies, and the massive amount of data they transfer will need more connections to landline internet. So cellular providers will have to use many smaller, lower-power base stations rather than fewer, more powerful macrocells to offer the multi-gigabit speeds that millimeter wave networks promise.

There’s a third set of 5G airwaves being used overseas. These frequencies, ranging from 3.5GHz to 7GHz. These are slightly above current cellular bands but have quantities of the spectrum (speed) that approaches mmWave. The US is falling behind other countries in the mid-band spectrum because over here, it’s being used for satellite communications and the Navy.

Bell Labs’ Weldon, described his idea of a true 5G network for FierceWireless;

… you need a low band that gives you nationwide coverage—higher efficiency on it; a mid-band for high-capacity, relatively locally; and millimeter-wave for super high-capacity, extremely locally, and if you blend all those together, you’ve got a network that really is significant.

Some believe that mmWave 5G will not work. T-Mobile CTO Neville Ray wrote that millimeter-wave won’t be able to deliver on the promise of 5G because it doesn’t travel far. Jeffrey Moore, principal analyst at Wave7 Research told FierceWireless. “…there are definitely some concerns about the economics of 5G.”

rb-

5G is an investment for the next decade. It is unlikely that the next big application will drop in 5G until 2021 or 2022. It is likely that a true 5G iPhone won’t appear until later 2020 and Qualcomm will not release its second-generation Snapdragon X55 5G modem until late 2019. The new chip will support all major spectrum types and bands. Qualcomm claims it is capable of 7Gbps downloads. Until then, the wireless carriers will jockey for customers and mind share.

The providers desperately need 5G to boost smartphone sales. The smartphone market is saturated. Deloitte found (PDF) that 80% of people in developed nations now own a smartphone and wait up to 4 years to replace their device – a significant increase from the 2-year refresh rate in 2011-12.

The realities of rural 5G deployment in the US (ZDnet)

Category: Uncategorized | Tags: 2019, 5G, FCC, FUD, LTE, mmWave, Sliced bread, Small cells, Wireless

RB | May 26, 2019

Comments Off

Bach Seat is Moving

Pardon my dust while I shake out the cobwebs

from my corner of the web.

Bach Seat is Moving

Category: Uncategorized | Tags: 2019, Bach Seat, Business, Moving

RB | May 1, 2019

Comments Off

Mitel – Avaya Hook Up?

Updated August 28, 2019 – Rumors confine to swirl about the future of Avaya. Channel Partners is reporting there are 2 offers on the table. They cite reports from Bloomberg that Avaya is considering a bid by Mitel and Reuters is reporting that Avaya is considering an all-cash offer from private equity firm Clayton Dubilier & Rice.

Channel Partners speculates that the Mitel-Avaya deal would “…result in a company with a market share that would rival key industry players Cisco and Microsoft.”

—

Avaya buy-out rumors are back. Last month it was thought that a PE firm, possibly Searchlight Capital Partners was going to buy Avaya. The unknown private equity firm valued Avaya at more than $5 billion, including debt.

The newest report is that Ottawa-based Unified-Communications-as-a-Service provider Mitel is looking to acquire Avaya in an all-stock merger valued at between $2.2 billion and $2.4 billion, according to The Wall Street Journal.

The reported deal would value communications equipment and software provider Avaya at $20 to $22 per share, a premium based on its current stock price of about $18 per share on Monday 04/29/2019. If Avaya and Mitel are able to strike a deal, the merger could happen as soon as next month, the WSJ said, citing mysterious people familiar with the matter.

CRN says that the Avaya-Mitel deal could help the two companies compete against their larger UC competitors. Mitel typically plays well in the small to midsize market, while Avaya has a large install base of enterprise customers because of its legacy in the UC hardware arena.

Zeus Kerravala at NoJitter points out that the reported $2 billion purchase price doesn’t into account Avaya’s roughly $3 billion in debt. With debt included, the offer would have to come in for a total enterprise value of $5 billion to be of interest to shareholders.

Mr. Kerravala believes that a successful merger between Avaya and Mitel would create a behemoth of a company, bringing the number two and number three voice vendors together. He cites Synergy Research Group data that shows Cisco (CSCO) the leader with about 44% market share, Avaya second at 10%, and Mitel third at 8%. He believes a combined Avaya and Mitel would hold the industry’s biggest installed base.

Synergy enterprise voice market share estimate

Source: Synergy Research Group

The merger would also be beneficial as the industry becomes more artificial intelligence (AI)-centric, data and scale are must-haves. Mr. Kerravala believes Avaya and Mitel are stronger together than apart on AI. That said, if a deal doesn’t happen, the companies should still be fine continuing down their current trajectories, optimizing their internal resources while leveraging partners for AI. They can still do this, although it would be easier as a bigger company.

An investment group led by private equity firm Searchlight Capital Partners acquired Mitel in April 2018 with a $2.6 billion deal that took the company private. Mitel has a history of growing via acquisitions. In 2017 the company completed the acquisition of competing UC provider ShoreTel for $530 million. The move helped Mitel become one of the largest UCaaS providers in the world. The company lost out on its deal to acquire videoconferencing provider Polycom in 2016 to Siris Capital Group.

rb-

This is just more of the same for Avaya. The crowning jewel in this deal is Avaya’s corporate call center business. Avaya’s call center business is the product of the acquisition of Nortel assets, after the Canadian networking giant’s bankruptcy in 2009.

This deal is really about the cloud. TechCrunch notes that Searchlight has a strategic stake in Rackspace, another legacy company that it took private for $4.3B in 2016.

Will Searchlight leverage its investments in Rackspace, Mitel, and now Avaya to build a cloud-based UCaaS juggernaut to take on the likes of Cisco, Microsoft, Slack, RingCentral, 8×8, even Google and Amazon?

Unified Communication as a Service (UCaaS) Market Worth US$79.3 Bn by 2024 (PRNewsWire)

Category: Uncategorized | Tags: 2019, Artificial intelligence, Avaya, Business, Cisco, Cloud, CSCO, Microsoft, Mitel, MSFT, Private equity, Rackspace, Shoretel, UCaaS

« Older Entries Recent Entries »

Bach Seat

Archive for RB

Password Reset Practices “Obsolete”

Related articles

What is 5G ?

Related articles

Bach Seat is Moving

Meta