Newsletter Archives
-
Tasks for the weekend – February 27, 2021 Check your DNS
Posted on February 27th, 2021 at 22:36 Comment on the AskWoody LoungeThere is one command that I have used for many years. It’s the command ipconfig /all. With that command I can see what network I’m on by reviewing the Internet protocol address that the system has.
It’s also a quick and dirty way of determining what DNS provider I’m using. Often with ISP provided routers you don’t have the ability to adjust your DNS settings. DNS or domain name service settings are how your computer system knows where to connect to web sites. DNS settings can also better protect your system. Often using something like OpenDNS can automatically protect your system while surfing.
Some of the key DNS settings that you can choose are
Google DNS 8.8.8.8 and 8.8.4.4
Cloudflare 1.1.1.1
OpenDNS 208.67.222.222 and 208.67.220.220
Quad9 9.9.9.9
You can follow the instructions here to manually change the DNS settings on your local machine – or you can make a change up on your router – assuming it allows you to.
So what DNS settings do you use?
-
Feb 2021 patches so far
Posted on February 9th, 2021 at 21:51 Comment on the AskWoody LoungeWe are still in watch and wait mode for February updates. I’ll be waiting and testing and let you know what we find.
So far I don’t see 1909’s being offered up today’s security update. For those of you on 1909 are you seeing that as well?
For those of you that are business patchers here are some links to follow:
Microsoft Windows Security Updates February 2021 overview – gHacks Tech News
Zero Day Initiative — The February 2021 Security Update Review
Microsoft February 2021 Patch Tuesday (sans.edu)
The zero day bug that I talked about yesterday is an elevation of privilege bug.
The other bug that everyone is buzzing about is this one: Multiple Security Updates Affecting TCP/IP: CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086 – Microsoft Security Response Center “Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic.”
For you and I, I don’t see this one has being horrific. Blue screens of death while not something any of us want, doesn’t mean that the attacker has gotten our data. And we normally do not have our machines straight on the Internet but rather behind routers and firewalls. For now, just make sure you have a backup and look for the full analysis in this week’s Plus newsletter.
Action plan as of right now:
- Waiting/Backing up mode for home users.
- Testing mode for business users.
Note: They’ve released the .NET patch with a known crashing issue February 9, 2021-KB4601050 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10, version 2004, Windows Server, version 2004, Windows 10, version 20H2, and Windows Server, version 20H2 (microsoft.com) that impacts Visual Studio
-
Are you a MSP or use a MSP?
Posted on December 13th, 2020 at 18:32 Comment on the AskWoody LoungeEdit: At this time, we are not aware of an impact to our SolarWinds MSP products including RMM and N-central.
Looks to be only to their enterprise customers at this time.
Edit: A twitterized version of the write up on the Microsoft threat analytics site can be read here:
https://threadreaderapp.com/thread/1338305089597964290.html
Here’s the key takeaway:
we do not know how the backdoor code made it into the library..research indicates…the attackers might have compromised internal build or distribution systems of SolarWinds, embedding backdoor..into a legitimate SolarWinds library” – SolarWinds.Orion.Core.BusinessLayer.dll
Another good write up at Fireeye
If you are a managed service provider or use a managed service provider to support you and your IT… read on…
If you’re a SolarWinds customer & use the below product, assume compromise and immediately activate your incident response team. Odds are you’re not affected, as this may be a resource intensive hack. Focus on your Crown Jewels. You can manage this. https://t.co/YvSGTv926a https://t.co/WFe89831Dj
— Chris Krebs (@C_C_Krebs) December 13, 2020
Word is coming out tonight that SolarWinds was the entry point into various targeted attacks that have been in the news lately including FireEye.
Just got this from @solarwinds:https://t.co/30EClmPXqw pic.twitter.com/1yjYp6lUyf
— Raphael Satter (@razhael) December 13, 2020
-
Shopping online safely?
Posted on November 28th, 2020 at 13:17 Comment on the AskWoody LoungeJust this morning I received a funky phone call from “San Diego” telling me about several transactions on my “credit card” and that I needed to call them back to approve the transactions.
Needless to say I didn’t call them back.
The CISA page reminds us to be wary of scams this time of year.
CISA recommends these three simple steps to keep consumers safe when shopping:
- Check your devices – Before starting your hunt for the best deal, make sure your devices are up-to-date and all of your accounts have strong passwords. If you purchase an internet connected device or toy, change the default password and check the device’s privacy and security settings to make sure you’re not sharing more information than you want.
- Shop through trusted retailers – Before making a purchase and providing any personal or financial information, make sure you’re using a reputable, established vendor. Similarly, if you’re planning to make a charitable donation, be sure to research who or where your donation is going, to ensure it’s a legitimate organization.
- Using safe methods for purchases – If you can, use a credit card or other forms of digital payments as opposed to a debit card as credit cards often have better fraud protections.
So what are you doing to ensure you are safe online this year?
-
Easiest way to make it easy for attackers
Posted on November 18th, 2020 at 21:37 Comment on the AskWoody LoungeWe are really bad at picking passwords. Truly we are. I’ve also seen that many folks use the same passwords in many web sites. So attackers only have to get a data dump from one hacked database and then they can try to reuse these passwords in other places.
Do yourself a big favor: Over the holiday season see if you can 1. pick better passwords (passphrases) and 2. see if the site allows you to add two factor authentication.
-
Security shouldn’t be political
Posted on November 17th, 2020 at 23:40 Comment on the AskWoody LoungeTonight I heard on the news that President Trump fired Chris Krebs (no relation to Brian Krebs) who was head of the Cybersecurity and Infrastructure Security Agency. If you aren’t familiar with CISA they send out a ton of good security information – most of which inspires me to write security articles.
Mr. Krebs first came to government from Microsoft and was instrumental in developing relationships between business and government.
Given the HUGE HUGE risk we all have from ransomware we need more people like Chris Krebs in government, not less.
Then there's #Ransomware – we’re focused on ramping up a national strategic effort to combat this global scourge. We MUST improve defenses, break the business model, and take the bad guys out of the game. This is the most visible, disruptive cyber threat as I see it right now.
— Chris Krebs #Protect2020 (@CISAKrebs) November 16, 2020
Tonight, we fired that guy. We need more defenses against ransomware. We still make it way way too easy for attackers to get us. Not a day goes by that bleepingcomputer.com doesn’t post up another ransomware nailed yet another business post. I still see way too many malicious emails wiggle in. Too many malicious sites. Too many attacks. We need more people pushing for solutions, not less.
We need good people to help us in protecting us against ransomware. Comments now turned off at this time and apologies for doing so.
-
Patch side effects November updates – Domains only
Posted on November 17th, 2020 at 23:05 Comment on the AskWoody LoungeHat’s off to EP for spotting these:Addresses issues with Kerberos authentication related to the PerformTicketSignature registry subkey value in CVE-2020-17049, which was a part of the November 10, 2020 Windows update. The following issues might occur on writable and read-only domain controllers (DC) :
- Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
- Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
- S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.
The issue ONLY effects those with domains (businesses). It will not impact peer to peer or standalone computers. I expect to see more of these fixes for other platforms.
Spotted another one… https://support.microsoft.com/en-us/help/4594442 November 17, 2020—KB4594442 (OS Build 17763.1579) for 1809 Out-of-band (uh no that’s not an out of band patch for security the way I define out of band…)And more (thanks EP):KB4594441 for Win10 v1607:
https://support.microsoft.com/help/4594441KB4594443 for Win10 v1903 & 1909:
https://support.microsoft.com/help/4594443/KB4594440 for Win10 v2004 & 20H2:
https://support.microsoft.com/help/4594440/ -
Patch Lady – make sure you are protected
Posted on October 28th, 2020 at 21:14 Comment on the AskWoody LoungeTo specifically target hospitals and healthcare with ransomware is pure evil.
Brian Krebs reports that the “CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” Earlier today a webcast was also talking about this risk.
I’ve installed the October patches.
I’ve checked to make sure backups are working (and not backing up to a drive that is accessible by the user making the backup – look to your backup vendor/ask them if their solution does this).
I’ve made sure that my email has spam filters and email hygiene turned on.
I’ve repositioned my tinfoil hat so my paranoia is turned full on.
If you work for healthcare or know of someone in healthcare reach out to them and warn them that they are being targeted by cyber attackers and be extra careful.