Cyber Round-up for 31st August
Welcome to this week’s Ironshare’s Cyber Round-up, where we take a look back at the events of the last week and handpick some of the news, posts, views, and highlights from the world of Security.
Microsoft Windows Zero-day in the wild
Monday saw the emergence of a new Zero Day bug in the Windows Operating System code. The bug was disclosed by a very unhappy security researcher who doesn’t appear to have followed the process for responsible vulnerability disclosure with Microsoft, instead resorting to posting the proof of concept exploit to Github.
This Zero-day flaw when exploited, can result in a local privilege escalation, which provides a standard local user with increased SYSTEM level privileges. The vulnerability exists in the Windows Task Scheduler APIs handling of the Advanced Local Procedure Call interface.
The exploit code posted to Github has been tested, and all the latest versions of Windows (win 10 and 2016 Server) are impacted by the vulnerability, even if they are up to date with the latest security patches from Microsoft.
As the impact of this vulnerability is limited to the local machine the base CVSS score has been set at 6.8. Microsoft has since acknowledged the bug and although not confirmed, it is expected to be covered in the next patch Tuesday scheduled for 11th September.
Although this exploit is local in nature it could be used as a component in a larger attack, so please ensure you patch as soon as it become available.
CERT/CC notice: https://www.kb.cert.org/vuls/id/906424
Instagram responds to recent stream of account hacks
Following our reports of Instagram account hacks in a previous edition of the round-up, Instagram have this week announced their plans to improve their security for its user accounts and two-factor authentication service.
As you may recall, Instagram’s existing 2FA service relied on using SMS based one-time authentication codes sent by text message to a user’s mobile handset. The attackers took advantage of known exploits in SMS based 2FA to hijack a large number of Instagram accounts.
In response to this Instagram have confirmed that they are implementing important steps to help secure their users accounts. In addition to adding more account information and verification, so that the authenticity of the accounts can be confirmed, they are also adding support for Third party Authenticator Applications.
Authenticator Apps like ‘Google Authenticator’ that can be downloaded to your mobile phone, automatically generate one-time codes or tokens every 30 secs, and are considered far more secure than SMS based 2FA.
Instagram have reported that the rollout of these improvements are already underway and should be available to global community in the coming weeks. If you are an Instagram user, it is highly recommended that you move to 2FA using a supported Authenticator App as soon as it becomes available.
Small Business Cyber Security
Earlier this month the US passed the NIST Small Business Cyber Security Act into Law, which requires the National Institute of Standards and Technology to provide ‘clear and concise’ information that will help Small Businesses identify and manage their Cyber Security risks.
The act is a good step forward and has been well received by the security industry. Its goal is to deliver common sets of guidance that are applicable to a wide range of business types and sizes, and importantly should remain vendor and technology neutral, which ensures compatibility with Off-the-shelf products and solutions.
As the impact of a cyber-attack is typically far greater for a small business, who generally are less likely to recover from such an event, the hope is that by simplifying the basic security guidelines, organisations will find it far easier and more cost effective to adopt.
In the UK, our own National Cyber Security Centre (NCSC) provides excellent guidance to assist companies improve their Cyber Security, which includes information for Small Businesses and Charities.
One of the discussed drawbacks to this new US law is that if it’s not a regulation or an audited framework then its unlikely to be a success.
NCSC had similar issues in the early days post the release of the ’10 Steps to Cyber Security’. Although the contents were sound, it was not well known, and companies were unsure of how to correctly the implement the guidance it provided. This led to the introduction of the Cyber Essentials certification program.
Cyber Essentials provides two levels of certification (Cyber Essentials and Cyber Essentials Plus) for companies that do not have the resources to develop a full-blown cyber security practice. By achieving Cyber Essentials certification, you and your customers can have the confidence that your organisation is covering the fundamental practices and guidance that is needed to protect against the most common types of attacks.
If you are a Small to Medium business and need to improve your Cyber Security posture or require assistance with achieving Cyber Essentials certification, why not get in touch and see if Ironshare can help you on your journey.
Let’s Encrypt hits back at false claims
I came across an interesting post by Troy Hunt this week, highlighting a Let’s Encrypt community post from last year that was issued in response to some false claims by the Domain name registrar, Namecheap. The Domain name company tried to debunk the use of Let’s Encrypts free certificate authority service but have failed miserably in their attempts.
The irony in this is that Namecheap are now using Let’s Encrypt certificates for their own domains, while still informing customers that LE’s service is not as secure as a paid for SSL certificate.
Let’s Encrypts response can be viewed below, and deals with busting some of the myths around its service. If you are considering using this free certificate service, but still have some doubts then take a look.
Let’s Encrypt is an automated and open certificate authority, that was established to assist the public to enable the adoption of secure websites (using HTTPS), all free of charge. Basically, if you own a website / domain name you can use LE to obtain a trusted certificate at zero cost.
Since this response was published last year, Let’s Encrypt now also provides wildcard certificates.
The free SSL certificates provided by Let’s Encrypt is a great idea for moving any companies web services to HTTPS. Their user base is growing rapidly (now at 125 million domains serviced), and with the recent update that their Root CA is now trusted by all major providers, things are only going to improve.
That’s it for this edition but please tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList
You can also follow us using the social media links provided.
If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReview
Ironshare – Security Simplified
Edition #6 – 31st August 2018