Tag Archive for Security

| August 8, 2019
Comments Off on Symantec Sold

Symantec Sold

Updated 01/08/2020 – Broadcom is selling off parts Symantec less than 2 months after closing the deal. Reports have consulting giant Accenture buying Symantec’s Cyber Security Services unit for an undisclosed amount.

Under the deal, Accenture will take over Symantec’s global network of six security operations centers located in the U.S., the U.K., India, Australia, Singapore, and Japan. The SOC’s provide threat monitoring, analysis, and incident response services. Accenture says it will use the Symantec business unit to boost its managed security services.

Updated 09/17/2019 – As predicted below, Symantec has started slashing jobs. According to reports, up to 230 Symantec employees will be terminated on October 15, 2019.

Symantec SoldI could have saved a bunch of people a bunch of money– IF you had read this post – you would already have a doubt about this deal – before professional prognosticators Forester said the same thing on August 9th. In their report analyzing the deal, the market researcher cited Intel’s 2010 acquisition of McAfee and subsequent $3 billion loss spinning the security company to private equity in 2016. They said the deal should serve as a warning to CISO’s about the future of Symantec’s product portfolio under Broadcom. Well NO DUH

Broadcom (AVGO) has acquired Symantec‘s (SYMC) enterprise security business for $10.7 billion in cash. The two firms consummated their hot-and-cold bromance M&A discussions in writing today (08/08/2018).

Symantec logoThe deal is expected to bring in over $2 billion in annual revenue for the San Jose, CA-base firm. Broadcom intends to fund the transaction with proceeds from new committed debt financing. The transaction is expected to close in Q1 of Broadcom’s fiscal year 2020.

Broadcom, historically a semiconductor business has been on an M&A tear in the past few years, buying its way into a broader market position. First, with the 2016 – $5.9 billion purchase of network equipment vendor Brocade. Next was the 2018 – $18.9 billion acquisition of CA Technologies. Followed by today’s $10.7 billion pick-up of Symantec. In the presser Broadcom CEO Hock Tan called the Symantec purchase, “... the next logical step in our strategy … expanding our footprint of mission-critical infrastructure software within our core Global 2000 customer base.

Broadcom logoRumors of the purchase first appeared in the press on July 03, 2019, with “advanced talks” happening on July 15th for purchase all of Symantec for $22 Billion, but by July 15, Symantec had reportedly walked away from the table. Reports (which appear to be true) at the time were that Broadcom was after just the enterprise-cybersecurity software business; leaving the consumer the business as an independent company or a spin-off to somebody else.

ChannelE2E says the potential deal makes sense on paper. Broadcom is known for acquiring struggling or slow-growth enterprise technology businesses, stripping out costs and boosting profitability. They explain that Broadcom’s secret to M&A success is clearly communicating staff reduction plans to acquired businesses, investors, and associated end customers. Broadcom is known for swift M&A staff cuts that include reasonable severance packages for employees — rather than long, drawn-out, torturous headcount reductions.

ChannelE2E also correctly predicted the Symantec team could face job cuts, layoffs, or potential business spin-offs as a result of the deal. Right on queue, Symantec announced layoffs of roughly 7% of its more than 11,000 employees during FY 2020. The company also plans to downsize, vacate or close certain facilities and data centers in connection with the restructuring plan.

The Symantec name will be sold to Broadcom as part of the transaction. Interim Symantec CEO Rick Hill said the remaining consumer business contributed 90% of the company’s total operating income, and the company expects to be able to continue to grow revenue for its Norton LifeLock business in the mid-single digits going forward. CEO Hill tried to spin the sale as a win in a presser.

This is a transformative transaction that should maximize immediate value to our shareholders while maintaining ownership in a pure play consumer cyber safety business with predictability, growth and strong consistent profitability.

Symantec SoldSymantec’s struggles in recent years which may have lead to the buy-out are chronicled by Channele2e. Former CEO Greg Clark resigned in May 2019 amid weak enterprise cybersecurity software revenues. Executive team departures over the past year have also included Symantec’s CFO, chief operating officer, chief marketing officer and the head of its go-to-market teams. Board member Rick Hill has been interim president and CEO of the company since that time.

Symantec was late to cloud-and mobile-centric cybersecurity services, and faced intense competition from next-generation endpoint protection providers, including:

rb-

Deja Vu All Over Again

Deja Vu All Over Again

The sense of deja-vu all over again you are experiencing is real. Intel and McAfee tried this nearly a decade ago. Intel purchased top Symantec competitor McAfee for $7.7 billion. The expected “synergies” (WTF that means) never materialized. Intel ended up spinning off McAfee to private equity firm TPG in a 2016 sale that valued the business at $4.2 billion.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| July 26, 2019
Comments Off on Fix Your Dongle – Today

Fix Your Dongle – Today

Fix Your Dongle - TodayIf you use a Logitech (LOGI) wireless mouse, keyboard or other device fix your dongle! The Logitech wireless dongle (officially Unifying Receiver) is vulnerable to an issue discovered in 2016 as well as newly discovered vulnerabilities unless you’ve updated the firmware. Download and install the latest firmware update to protect against vulnerabilities.

Mousejack attach

Logitech logoAffected Logitech wireless devices are vulnerable to a hack called “Mousejack.” Mousejack, (CVE-2016-10761) was first reported in 2016 by IoT security firm Bastille Networks, Inc. The Mousejack attach works by sending malicious radio signals (packets) wirelessly to an unsuspecting user through Logitech Unifying wireless technology. Logitech only partially fixed the hole (Cert VU#981271) in 2016. Mousejack uses the vulnerable Logitech Unifying receiver to intercept and inject unencrypted signals within a range of about 100 meters.

Incomplete fix

Logitech did not recall the Unifying Receiver back in 2016 when Mousejack appeared. Four new vulnerabilities were discovered in 2019. The new vulnerabilities are based on the incomplete 2016 fix. Logitech will only fix two of the four vulnerabilities, the others will remain unpatched. The vulnerabilities are logged as:

Logitech will not fix the holes identified in CVE-2019-13052 or CVE-2019-13053, both of which impact all Logitech Unifying devices. A Logitech representative told the Verge:

Logitech evaluated the risk to businesses and to consumers and did not initiate a recall of products or components already in the market and supply chain.

Logitech wireless mouseLogitech plans to patch the security flaws in CVE-2019-13054 (impacts Logitech R500, Logitech SPOTLIGHT) and CVE-2019-13055 which affects all encrypted Unifying devices with keyboard capabilities.

All Logitech USB dongles

Marcus Mengs, the researcher who discovered these vulnerabilities, told ZDNet the vulnerabilities impact all Logitech USB dongles that use the company’s proprietary “Unifying” 2.4 GHz radio technology to communicate with wireless devices.

Unifying is a Logitech standard dongle radio technology, and has been shipping with a wide range of Logitech wireless gear since 2009. The dongles are often found with the company’s wireless keyboards, mice, presentation clickers, trackballs, and more.

  • Sniff keyboard traffic,
  • Inject keystrokes (even into dongles not connected to a wireless keyboard)
  • Take over the computer to which a dongle has been connected.
  • Steal the encryption key between the dongle and its paired device
  • Bypass a “key blacklist” designed to prevent the paired device from injecting keystrokes

Bastille Networks

Techsupportalert.com reports that many of the vulnerable dongles are still on the market even though Logitech started releasing updated dongles sold with mice, keyboards, and stand-alone receivers.

 Hard to find firmware update

firmware updateNot long after the discovery, Techsupportalert.com, says Logitech issued a firmware update but it was hard to find on the support site and wasn’t widely known. If you didn’t update the firmware then (and most of us didn’t know about it) now is an excellent time to update.

Even if you installed the Logitech drivers and configuration app that came with the device, you are not protected. The required firmware update is not included, it must be downloaded and installed separately.

Give credit to Logitech, their firmware can be updated, where other manufacturer’s wireless dongles cannot be updated. This includes products from Microsoft, Dell (DELL, HP (HPQ), and Lenovo (LNVGY). In fact, any device that uses the same Nordic Semiconductor or Texas Instruments (TXN) chips and firmware for wireless receivers is vulnerable. The NordicRF nRF chip is a common chip used in wireless keyboards, mice, and presentation tools, which are frequently found in non-Bluetooth wireless input devices.

If you use a wireless device from Logitech or the Lenovo 500 devices, Bastille recommends you update your firmware. Any other non-Bluetooth wireless devices should be disconnected and you should contact your vendor and ask what models are not vulnerable before you replace your current gear.

Lenovo’s announcement is here.

Logitech’s announcement is here.

Here are the direct download links to the Logitech Unifying Receiver firmware update for PC, Mac, and the gaming mouse:

  • Logitech PC firmware update (zip)
  • Logitech Mac firmware update (zip)
  • Logitech G900 gaming mouse firmware update (zip)

rb-

Logitech Unifying ReceiverYou probably have an affected device on your network. Logitech has sold well over a billion mice. Users can recognize if they’re using a vulnerable dongle if it has an orange star printed on one of its sides.

If you have any extra Logitech wireless dongles around (I have several) you may want to update them.

You should also check back in with Logitech support, to see if the promised additional fixes will be forthcoming in August 2019.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
| June 29, 2019
Comments Off on Presidential Wannabe’s Don’t Use Email Security

Presidential Wannabe’s Don’t Use Email Security

Most Presidential Wannabe's Don't Use Basic Email SecurityWe are in the run-up to the 2020 silly U.S. Presidential election season. Not much has changed in the three years after Trump operatives Russian hackers targeted and breached the email accounts of Hillary Clinton’s presidential campaign. Email security firm Agari reports that nearly all 2020 presidential candidates have learned nothing. They have not implemented email security. They are not protected against email attacks, fraud, and data breaches typically run by nation-states.

During the 2016 presidential campaign, the chairman of Hilary Clinton’s campaign, John Podesta, was the victim of a spear-phishing attack. That attack led to the now-infamous WikiLeaks email publication. The WikiLeaks release derailed the campaign and influenced the result of the election. Agari’s CMO, Armen Najarian, explained the importance of DMARC email protection;

DMARC is more important than ever because if it had been implemented with the correct policy on the domain used to spearphish John Podesta, then he would have never received the targeted email attack from Russian operatives.

Which campaign practices email security

ClownsData released by the California-based firm found that just one presidential hopeful uses DMARC for email security. Democratic candidate Elizabeth Warren’s campaign is the only one that uses DMARC for email security. The Warren campaign has completely secured its campaign against the types of email threats that took down Clinton and harmed her campaign staff, potential donors, and the public.

Agari suggested in a blog post that the remaining 11 candidates it checked do not use DMARC. This includes Bernie Sanders, Joe Biden, and presidential incumbent Donald Trump. All do not use DMARC on their campaign domains to secure their email accounts. The company warned that the candidates risk their campaigns being impersonated in spam campaigns and phishing attacks.

Agari also analyzed advanced email security controls of the campaigns. They found that 10 of 12 have no additional protection beyond basic security included in Microsoft Office 365 or Google Suite.

Email alphabet soup

DMARC is not an email authentication protocol. It sits on top of the authentication standards SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). With SPF and DKIM, DMARC supplements SMTP, the basic protocol used to send email, because SMTP does not include any mechanisms for email authentication.

A properly configured DMARC policy can tell a receiving server whether or not to accept an email from a particular sender. DMARC records are published alongside DNS records, including:

  • SPFemail security
  • A-record
  • CNAME
  • DKIM

Matt Moorehead at Return Path explains that DMARC is the latest advance in email authentication. DMARC ensures that legitimate email properly authenticates against established SPF and DKIM standards and that fraudulent activity appearing from domains under the organization’s control is blocked. Two key values of DMARC are domain alignment and reporting.

DMARC’s alignment feature prevents spoofing of the email “header from” address. To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment.

DMARC flowrb-

Using email authentication to prove that an email comes from the person it says it is is important because nearly 30% of advanced email attacks (PDF) come from hijacked accounts. Without email, authentication accounts are vulnerable to email security-initiated breaches – attacks typically run by nation-states. The 2018 Verizon DBIR found that nation-state groups accounted for at least 23% of the attacks in successful breaches by an outsider.

DMARC is a widely deployed technology that can make the “header from” address (what users see in their email clients) trustworthy. DMARC helps protect customers and brands; it discourages cybercriminals, who are less likely to target a brand with a DMARC record.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| June 17, 2019
Comments Off on Is Yuzo on Your WordPress site?

Is Yuzo on Your WordPress site?

Do You Yuzo?I am still busy unpacking and re-arranging the furniture at the new home of Bach Seat. One of the nicer things about my new host is that I can now get WordPress alerts. And I have been getting a ton of alerts from the firewall that it blocked “yuzo-related” attack attempts. So I decided to see WTF “yuzo-related” attack attempts were about and found an excellent explanation on the WordFence site.

60,000 WordPress websites

Unpatched vulnerabilityDan Moen at WordFence explains that the Yuzo Related Posts (YRP) plugin for WordPress has an unpatched vulnerability that was publicly disclosed by a security researcher on March 30, 2019. The flaw which allows stored cross-site scripting (XSS), is now being exploited in the wild. The buggy plugin is installed on over 60,000 websites and has been removed from the WordPress.org plugin directory.

WordFence recommends that all users remove the plugin from their sites immediately.

The blog’s author writes that the vulnerability in YRP stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below is the crux of the problem. There is more in-depth coding tech-talk at WordFence.

8 }elseif( is_admin() ){ // only admin

He says developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used.

Injects malicious JavaScript

System administratorThe result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.

As evidenced by the number of probes against my site, threat actors have begun exploiting sites with YRP installed. The exploits in the wild inject malicious JavaScript. When a visitor lands on a compromised website containing the malicious payload, they will be redirected to malicious tech support scam pages – like this example:

Fake tech support pageThe WordFence analysis shows that the attempts to exploit this vulnerability in YRP share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.

The security researchers found all three campaigns so far have used these exploits:

  • A malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53.
  • Involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects.

WordFence is confident that the tactics, techniques and procedures in all three attacks point to a common threat actor.

WordFence recommends WordPress Site owners running the Yuzo Related Posts remove it from their sites immediately, at least until a fix has been published by the author.

rb-

What to do?

    • WordPressKeep your WordPress and plugins up to date.
    • Do you really need Yuzo Related Posts? Here is a list of alternatives from WordPress.
    • Make sure you have good backups of your WordPress site – and you can restore it.
    • Get a firewall on your WordPress site
    • Block the IP 176.123.9[.]53. From your site.
    • Harden your WordPress site.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| June 9, 2019
Comments Off on Password Reset Practices “Obsolete”

Password Reset Practices “Obsolete”

Password Reset Practices "Obsolete" Followers of the Bach Seat know that passwords suck. And now Microsoft (MSFT) has joined me in that revelation. The boys in Redmond recently recommended that organizations no longer force employees to change their password every 60 days.

Microsoft logoIn a TechNet blog penned by Aaron Margosis, a principal consultant for Microsoft, the company called the practice – once a cornerstone of enterprise identity management – “ancient and obsolete” as it told IT, administrators, that other approaches are much more effective in keeping users safe.

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value

Windows-10-logoIn the latest security configuration baseline for Windows 10, which allows administrators to use Microsoft-recommended GPO baselines for improving the overall security posture of a system and reduce a Windows 10 machine’s attack surface, “May 2019 Update” (1903) – (available as a ZIP file for download here) Microsoft dropped the idea that passwords should be frequently changed. Previous baselines had advised enterprises to mandate a password change every 60 days. (And that was down from an earlier 90 days.)

Mr. Margosis acknowledged that policies to automatically expire passwords – and other group policies that set security standards – are often misguided. He wrote,

The small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management … Better practices, however, cannot be expressed by a set value in a group policy and coded into a template.

Multi-factor authenticationAmong those other, better practices, Mr. Margosis mentioned multi-factor authentication – also known as two-factor authentication – and banning weak, vulnerable, easily guessed, or frequently revealed passwords.

ComputerWorld points out that Microsoft is not the first to doubt the convention. The National Institute of Standards and Technology (NIST) made similar arguments as it downgraded regular password replacement. “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically),” NIST said in a FAQ that accompanied the June 2017 version of SP 800-63, “Digital Identity Guidelines,” using the term “memorized secrets” in place of “passwords.”

Then, the institute had explained why mandated password changes were a bad idea this way:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password.

NIST logoBoth the NIST and Microsoft urged organizations to require password resets when there is evidence that the passwords had been stolen or otherwise compromised. And if they haven’t been touched? “If a password is never stolen, there’s no need to expire it,” Microsoft’s Margosis said.

John Pescatore, the director of emerging security trends at the SANS Institute told ComputerWorld;

I agree 100% with Microsoft’s logic for enterprises, which are who uses [group policies] anyway … Forcing every employee to change passwords at some arbitrary period almost invariably causes more vulnerabilities to appear in the password reset process (because there are now frequent spikes of users forgetting their passwords) which increases risk more than the forced password reset ever decreases it.

hobgoblins of little mindsLike Microsoft and NIST, SAN’s Pescatore thought periodic password resets are the hobgoblins of little minds, “Having [this] as part of the baseline makes it easier for security teams to claim compliance because auditors are happy,” Pescatore told ComputerWorld. “Focusing on password reset compliance was a huge part of all the money wasted on Sarbanes-Oxley audits 15 years ago. A great example of how compliance does not equal security.”

ComputerWorld notes other changes in the Windows 10 1903 draft baseline, Microsoft also dropped policies for the BitLocker drive encryption method and its cipher strength. The prior recommendation was to use the strongest available BitLocker encryption, but that, Microsoft said, was overkill: (“Our crypto experts tell us that there is no known danger of [128-bit encryption] being broken in the foreseeable future,” MSFT’s Margosis told ComputerWorld.) And it could easily degrade device performance.

Microsoft is also looking for feedback on a proposed change that would drop the forced disabling of Windows’ built-in Guest and Administrator accounts. Microsoft’s Margosis hedged a bit;

Removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled,”Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed.

rb-

We have covered this before, forcing users to change passwords over short time-frames inevitably leads to users choosing the simplest, most memorable, and most crackable passwords possible. Things have changed over the years, including technology that now enables threat actors to crack simplistic passwords easily.

MSFT is now actively pushing MFA in the enterprise so it is not surprising they are going away from this general password policy.

MSFT changing its security baselines won’t change requirements made by regulatory authorities (PCI-DSS, HIPAA, SOX, NERC) and auditors. It takes years and years for them to change.

The change does not affect home users – but maybe it will make them think?

Slowly the world of passwords is starting to come under control.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »