Elephants, Cats, Coffee and Computers.

As part of my job at Novell I get to travel around various places.  This has given me the chance to try numerous types of coffee across many countries and cultures. Coffee itself has an interesting history, starting with the legend of Kaldi. Kaldi was a goat herder who noticed his goats become somewhat animated after eating berries from a certain bush. History is quiet on if parents had told him not to eat berries from a bush; clearly they had not mentioned anything about picking the berries, throwing them into a fire and then using the roast beans to create the drink we know today as coffee.

Coffee was cultivated, traded and drank throughout the Middle East before spreading worldwide. The first coffee houses, known as qahveh khaneh, also began to appear at this time. Entertainment, musical performances, chess and news of day were all available to those imbibing of the black stuff.

Your local coffee shop may offer some or all of those things; they may even be on the menu although it’s unlikely you’d be able to buy Black Ivory Coffee unless you have phoned ahead several days in advance. This will then allow your beverage provider enough time to obtain a herd of Elephants, feed them several kilos of coffee berries and then wait for the digestive process to complete. Sort through the piles of dung for the coffee beans, roast , grind and you’re ready to brew. If space is an issue, as Elephants do take up space in any room, you could use Civet cats instead. I’d advise against that as we all know cats are evil. And their poo really smells.

I digress.

Today your coffee shop offers wi-fi as well. And that’s what can be hazardous to your computer. Here’s why.

Microsoft released it’s latest set of patches, so called Patch Tuesday, this week. This particular update is noteworthy and requires immediate action on your behalf.

Within the list of updates are

  • MS15-011 & MS15-014 which harden group policy and address network access vulnerabilities that can be used to achieve remote code execution (RCE) in domain networks.

  • MS15-014 update addresses an issue in Group Policy update which can be used to disable client-side global SMB Signing requirements, bypassing an existing security feature built into the product.

  • MS15-011 adds new functionality, hardening network file access to block access to untrusted, attacker controlled shares when Group Policy refreshes on client machines.

Remember our coffee shops, its collection of Elephants, Cats and wi-fi? Here’s the attack scenario as described by Microsoft.

MS15-014 Attack

This is an example of a  ‘coffee shop’ attack scenario, where an attacker would attempt to make changes to a shared network switch in a public place and can direct the client traffic an attacker-controlled system.

  1. In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\\Share\Login.bat .

  • On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.

    1. The attacker will have crafted the contents of Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.

  • The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server is now routed through to the attacker’s machine.

  • When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.

You can find more detail here http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

All of updates from Microsoft are available in ZENworks Patch Management. If you can’t see them, just perform a subscription download to make sure you have the latest content.

Feb 10 Patch Tuesday

You  deploy these updates in the usual manner. I’d also recommend that you look at using patch policies that will make keeping on top of Patch Tuesday a lot easier for you.

To further protect your device estate, you should look at having security settings that can adapt to the location. ZENworks Endpoint Security allows you to define policies whose enforcement settings change depending on the location of the device. For example, the Firewall can be less restrictive on known networks but have increased restrictions for those that are unknown. You could force use of VPNs in those pesky coffee shops.

I should make it clear that ZENworks can do nothing about rogue Elephants sitting on a laptop or a cat doing something worse.



How To-Best Practice
Comment List