IE9 & IE10 Vulnerability Exposing Website Login Credentials

An as-of-yet un-patched IE vulnerability is being exploited in the wild by criminals.  Reports are that it is a fast growing,  widely exploited attack that has increased in distribution dramatically over the past few days.  At risk are those running Windows 7 or Windows 8.x that use Internet Explorer version 9 or 10.  Criminals are using phishing attacks and or hacking and infecting high-profile/high-volume websites with the code necessary to inject instructions into the browsers rendering engine.   That injected code then grants them access to login credentials used during the current browsing session.  This of course exposes credentials used for all sorts of sites including banking and finance.  A general fix release has not yet been made available via Windows Update,  but Microsoft has released a fix-it-tool as a temporary work around.

Our suggestion is to switch to Firefox or Chrome if at all possible,  and at a minimum install the temporary patch from Microsoft (included in the links below).

Microsoft Patch : https://support.microsoft.com/kb/2934088#FixItForMe

Alternate Browser Download link Links:
     Chrome : https://www.google.com/intl/en/chrome/
     FireFox : https://www.mozilla.org/en-US/firefox/all/

Further Reading:
    http://technet.microsoft.com/en-us/security/advisory/2934088
    Computer World Article
    http://www.itworld.com/security/406979/ie-zero-day-exploit-being-used-widespread-attacks
   

Target Data Breach : Hows Your Security ?

It’s recently come to light that the Target data breach, in which millions of credit card numbers and pins were compromised,  was accomplished through the usage of a 3rd party HVAC vendors stolen account credentials.  Aside from the obvious questions of  why on earth does the HVAC network come in contact with the financial network, or why would either a 3rd party or the heating and air system personnel have access to financial data – it also brings up plethora of other interesting topics for you to consider with your network.  Hopefully Target has some good answers to the questions above — perhaps the HVAC password was used to gain access to other credentials that had access on financial networks….  whatever their answers may be  — what questions should you ask about your network in light of their revelations ?

With an ever-increasing level of connectivity between ancillary devices and our data networks, careful thought should be given to what devices have access to your data network.   What vendors have you provided critical password or account information to over the years that might not be segmented from your network (Phone vendors,  copier vendors,  HVAC service personnel,  postage machines, CCTV/DVR equipment etc.).  Are those devices and accounts restricted to only the areas for which they need access ?   Do you keep track of and delete/change passwords for these vendors when they are replaced or when begin using a new vendors for various services ?   What is the password policy of the vendor ?  If they are going to require  long-term access to devices on your network,  wouldn’t you like to know how many of their former personnel might know passwords and access-paths to your network.  How do they handle password storage on their end ?

What about your predecessors or current/former coworkers.  How many of them had been given or may have gleaned a critical username or password.  Did they provide (with authority or not) any account information to vendors or 3rd parties.  When an employee/vendor leaves — did you do a complete change of all passwords for all devices and existing personnel they might have known.

Some obvious solutions to Targets issue would be to implement VLAN’s to segment non-critical devices from your data network, and further segment departments where it makes sense.   Separate physical networks when it makes sense to do so.  Implement some policies to mitigate security issues,  and audit your systems to make sure you have good documentation of who has access.  Rotate those passwords periodically,  especially with vendor changes.

As an MSP,  we often have passwords to everything on our clients networks from routers to QuickBooks,  as do most internal IT departments (especially in the small to mid-sized business sector).  It’s not always necessary,  but it is extremely convenient when problems arise,  and convenience is often direct opposition to being secure.  We have and build trust relationships with our clients as professionals,  and provide contracts stating how the above issues are mitigated by our policies and procedures.   Do you use an MSP — and what are their policies on stored passwords and critical network information ?

If you don’t know the answers to the above,   time to do an audit of your accounts and access levels to all your infrastructure,  your topology,  vendor policies,  and possibly your own policies.  Don’t forget to thank Target for the lesson!

Next Step -> Encrypting sensitive data and securing communications

MS announces an update to the Windows 8.1 Update !

The Windows 8.1 update made windows 8.1 a little more user friendly,  giving us a start button back (even if it lacked an actual functional start menu to go with it),  along with the ability to boot to desktop and get quickly back to the desktop when forced to the Metro interface.  Now windows has officially announced an update for the windows 8.1 update.  Microsoft is calling it the ‘Windows 8.1 Spring Update’ — because — yeah,  no idea,    I guess Windows 8.11 harkened to much back to Windows 3.11 for workgroups,  a popular/functional OS ?  (I think most techies around then would agree that windows 3.11 was finally the first really usable version of windows 1,2 or 3 and that given it’s lifespan and widespread adoption — windows 8.11 could have benefited from that comparison … but I digress). 

The focus (thank goodness) of this update appears to be on improvement for non-touch devices.  Microsoft has finally decided that they should provide an OS that works for the 97% of their base who don’t have (and or don’t want to use) a touch screen as their primary input device.   They have therefore added improvements and changes that actually make the OS useful for ‘the rest of us’!   The other major changes will also lower the space and memory requirements to run windows 8.1,  bringing the OS requirements within range of a much wider audience.

Since SP2 usually marks the point where a MS product is stable (in my opinion),  I guess we’ll wait to see if Windows 8,  + 8.1 update,  + Spring Update = a SP2 level product,  or if we’ll still be waiting for an OS on which we can be productive and feel comfortable recommending adoption by our clients,  family and friends.   Right now I highly recommend Windows 8 with no updates to all of our competitors 🙂

More Reading:
http://wind8apps.com/windows-8-1-update-spring/

Microsoft helping manufacturers compete with Chromebooks

Don’t get too excited — they are dropping the price on windows 8.1,  but only for manufacturers of low end hardware.   It should still eventually translate into lower prices for end-users.

Microsoft confirmed that they plan to cut the price of Windows 8.1 by as much as 70% for the makers of lower-end hardware.   Their hope is the price cut will allow manufacturers to drop the price of lower-end tables and laptops in order to complete with the likes of Googles Chromebook.   It currently looks like Microsoft plans to allow manufacturers who sell hardware devices that retail for $250.00 and less,  to purchase Windows 8.1 for $15.00 instead of the normal $50.00.   While a $30.00 difference doesn’t sound like a lot — with margins already very low in this low-end area,  every dollar counts.  Whether this translates into savings for consumers or not waits to be seen — thus far this appears to be good old fashioned competition bringing consumers more choices at more price points.

More reading on the subject:
http://www.bloomberg.com/news/2014-02-22/microsoft-said-to-cut-windows-price-70-to-counter-rivals.html
http://www.reuters.com/article/2014/02/22/us-microsoft-windows-idUSBREA1L0WS20140222
http://www.dailytech.com/Report+Microsoft+to+Cut+Windows+81+License+Fees+by+70+for+Budget+PC+Makers/article34381.htm

Windows ‘Threshold’ to bring the start menu back ?

Windows 8.1 was a good improvement,  but if this article from Paul Thurrott over at winsupersite.com turns out to be true,  it looks like Windows Threshold (maybe eventually Windows 8.2) may re-incorporate some of the start menu features many users have become accustomed to  (including me).  Regardless of your view on Metro vs. Desktop vs. Start Menu vs. ‘Its just a BIG start menu stop complaining’ — options are good  (SO make them optional features and allow users to change their interface to the way they want without having to resort to 3rd party apps or crazy hacks).   http://winsupersite.com/windows-8/further-changes-coming-windows-threshold.

FIX : XP svhost.exe / wuauclt.exe causing 100% CPU

UPDATE:  http://redmondmag.com/articles/2014/01/16/windows-xp-resource-hog.aspx
They’ve finally manged to roll-out the fix for the bug that has been causing the windows update issues.

 

Even though XP is shortly to be relegated to Microsoft’s end of product support trash heap,  we still support a number of clients who either haven’t,  or due to legacy programs/hardware cannot update some of their systems.   We’ve recently starting have spurious calls of ‘my machine is very slow’ etc.,  and our techs login to find that the CPU is pegged at 100% (or 50% for those with hyper-threading enabled).   The culprit is the familiar svhost.exe slamming the CPU.  Not uncommon on an infected or problematic machine as this wrapper is responsible for a multitude of services, but no infection was found on most of the machines.

These recent cases have all quickly been tracked back to wuauclt.exe (Windows Automatic Update Client),  disabling auto update and killing the active processes of course fixes the problem,  right up until somebody decides to re-enable it,  or attempt to run updates manually — then it’s back with a vengeance.   Then there is the obvious — even though it’s slated to stop receiving updates in a little more than four months, disabling updates is a poor if not stupid solution.

We’ve finally found the fix that is working for nearly every system with this affliction:  http://technet.microsoft.com/en-us/security/bulletin/ms13-097
For the majority,  those with XP 32bit SP3 up to date with IE8 – the direct link hotfix is here http://www.microsoft.com/downloads/details.aspx?familyid=1dbcb79c-bfb8-4e01-8824-8f834a012091

The real question is why Microsoft hasn’t fixed this issue during the last several ‘Patch Tuesdays’ (several have come and gone while this issue has been occurring,  and even since they released this bulletin).   One might conclude they think there might be an advantage to having customers get frustrated with their aging,  about to be deprecated (for updates) systems,  especially at the end-of-the year and holiday buying season. Surely not J   No matter what,  for those with legacy software and hardware (especially in manufacturing) whom will need their XP systems to operate for a long time to come,  the above fix should help bring some life back to your system.

Brady Tucker
ITSS

Jennifer Pfeifer

cordeaconsulting IT Service Station has done a great job supporting our IT needs!  This is impressive given our consultants travel across the country weekly and often require assistance at all times of day and in all time zones.  Thanks IT Service Station!

Michael Heaton

“For a small business like us, having the great customer service and expertise of IT Service Station only a phone call away has been absolutely essential to our success. Whether it is an issue with our network, server, IT security, or the more routine PC troubleshooting issues that inevitably come up on occasion – IT Service Station always comes through with a solution in a timely manner. In a word, they’re great!”

 

Melodie Beard & Carie Lewis-Cox

castlerockITSS has been taking care of us since August  of 2013.   I have no complaints, on a scale of 1-10, I would give them a 10. They always make sure any issues we have are taken care of in a timely manner and they keep me updated on progress of issues they are working on for me. They have been able to help us update and improve our system to make things easier overall.  They will respond immediately to our service calls, and mine are always in the panic mode! If  they can’t take care of it over the telephone, they will remote into the system and/or come in person. They are pleasant, professional and we are very satisfied  with their company.  They make their schedule fit our schedule and can remote in at night and do projects that require more time rather than take us off line during the day. They’re bright, responsive, certainly know their stuff, and are professional while being personable. I can’t think of an issue that I have presented them that they couldn’t solve. I can certainly recommend Brady and the others without reservation. I don’t think you could go wrong with them. 

Amanda Turner

intlgymnast“ITSS has given us fantastic hosting and support for our website, email and FTP servers, and really gone above and beyond to help us for years. Their support team is excellent and immediately gets to work to help us get any issue fixed (even ones we’ve annoyingly caused ourselves by mistake!). Once we were targeted by a VERY persistent overseas hacker trying to take over our home page, and ITSS worked through the night to protect our site. We especially appreciate their patience as we’ve gone through a couple different Content Management Systems and updates, which required a lot of support and installation research and setup on their part. We highly recommend ITSS and appreciate their support in helping us run our successful website. Thanks ITSS!”