Posts by Bill Castle
There are now just a little over 100 days left until July 14, when Microsoft will end support for Windows Server 2003. That means no more patches at all, just like with Windows XP last year.
And a lot of people don’t even seem to know it.
After July 14, “Microsoft will no longer issue security updates for any version of Windows Server 2003. If you are still running Windows Server 2003 in your datacenter, you need to take steps now to plan and execute a migration strategy to protect your infrastructure.” That comes right from the company.
Bit9, an endpoint security firm, recently posted the results of its “Windows Server 2003 (WS2K3) End-of-Life Survey,” and the findings were not pretty. There were two glaring results from the survey:
- Nearly one in three enterprises (30%) plan to continue to run Server 2003 after the July 14 deadline, leaving an estimated 2.7 million servers unprotected.
- More than half of enterprises surveyed (57%) do not know when the end-of-life deadline is. In the survey, Bit9 gave respondents a multiple choice question asking the month when Server 2003 end-of-life would occur. Thirty percent of organizations surveyed said “I do not know,” and another 27% guessed wrong.
Now, we all remember the predictions of Armageddon when Windows XP hit its end of life. I contributed a little to that hysteria. It turns out it never happened. XP has been in rapid decline, and the end of life accelerated that process. The bad guys go where the numbers are, and Windows 7 has the numbers.
But with Server 2003, migrations are nowhere near as quick as they are with desktops. At this point, even if you started a migration you probably wouldn’t complete it in time. Bit9 says a migration would take at least 200 days, while other experts give more high-low room due to the variances in the apps, complexity, and so forth.
This means that millions of Windows servers holding sensitive data will be unpatched. Bit9’s mission is security, so it was most concerned about this.
“Servers, including domain controllers and Web servers, are where most organizations’ critical information resides. So, if organizations continue to run Windows Server 2003 after July 14, without implementing appropriate compensating controls, they are putting customer records, trade secrets, and other highly valuable data at risk. Cybercriminals, hacktivists, and nation-states prey on unprotected servers, leaving enterprises exposed to potentially catastrophic breaches that can lead to lawsuits, regulatory fines, and loss of customer trust,” the company wrote on its blog post.
A bit alarmist? Perhaps, but it’s their job to sound the alarms.
With 100 days left, Bit9 says organizations yet to upgrade must immediately aim to get their Server 2003 systems into a compliant state to eliminate both financial and legal penalties and avoid the brand damage associated with failed audits, data breaches, and noncompliance. Effective compensating controls for organizations without an upgrade plan include network isolation, application whitelisting, and continuous server monitoring.
And quite frankly, if you are in charge of an IT department and didn’t know this was coming, you should start updating your resume/LinkedIn profile.
As the use of mobile devices like smartphones and tablets increase everyday, the need for cloud storage services has also been growing rapidly. Mobile devices with their small and sleek form factors have limitations on the internal storage available on them. This has made cloud storage services a necessity even to the common man. Vying the huge potential in online storage space, many cloud storage services are providing free storage to lure new customers.
BGR – THURSDAY, FEBRUARY 19, 2015 7:30 PM GMT
We’re starting to think there’s something seriously wrong with Sony these days. In addition to its ridiculous looking new Google Glass rival, Sony this week unveiled what might be the single stupidest tech product in history: A $155 memory card that promises to deliver “premium sound.”
“But wait!” justifiably flabbergasted readers may be saying. “What does a memory card have to do with delivering premium sound?”
As The Wall Street Journal informs us, Sony is claiming that the new SR-64HXA memory card “produces less electrical noise when reading data.” In other words, the card delivers premium sound by being less noisy than other memory cards. And Sony thinks this is worth $155.
To get a perspective on just how absurd this price is, we recommend reading The Verge’s full breakdown.
“Costing a cool ¥18,500 (roughly $155), the SR-64HXA is a Class 10 microSDXC card, the likes of which Sony already sells for a more reasonable $90 in Japan,” The Verge explains. “If you are willing to go with Samsung, that price falls to $50, and if you’re buying from the US, you could get the same amount and speed of storage for just over $30. Of course, only Sony’s new card is emblazoned with the golden-lettered ‘for Premium Sound’ tagline.”
At this point, we think Sony would have better luck trying to trick dim-witted farmers into giving away their cows for magic beans.
The hotel guest probably never knew what hit him. When he tried to get online using his five-star hotel’s WiFi network, he got a pop-up alerting him to a new Adobe software update. When he clicked to accept the download, he got a malicious executable instead.
What he didn’t know was that the sophisticated attackers who targeted him had been lurking on the hotel’s network for days waiting for him to check in. They uploaded their malware to the hotel’s server days before his arrival, then deleted it from the hotel network days after he left.
That’s the conclusion reached by researchers at Kaspersky Lab and the third-party company that manages the WiFi network of the unidentified hotel where the guest stayed, located somewhere in Asia. Kaspersky says the attackers have been active for at least seven years, conducting surgical strikes against targeted guests at other luxury hotels in Asia as well as infecting victims via spear-phishing attacks and P2P networks
A critical vulnerability in the command-line interpreter for most Linux and Unix distributions, and that impacts Apple Mac OS X systems, is being actively targeted in the wild, according to security experts who are urging IT administrators to deploy patches to repair the dangerous weakness.
The GNU Bash shell vulnerability enables a remote attacker to execute malicious code when the command-line interpreter is invoked, and can be targeted in a variety of systems and devices that run Linux. Solution providers told CRN that their systems are already identifying attempts to probe client systems for exposure to it. Exploit code has been added to the Metasploit attack toolkit, a sure sign that cybercriminals could attempt to gain access to sensitive systems to launch a denial-of-service attack, bringing applications to a halt, experts said.
Security industry experts are warning that the risk posed by the dangerous threat exceeds theHeartbleed vulnerability, which, when made public, touched off a flurry of patching activity. Heartbleed exploits hundreds of thousands of servers, networking gear and other devices and puts the account credentials at risk to millions of users.
The Bash shell vulnerability, also being called Shellshock, may pale in comparison due to how widespread the command-line interpreter is in Linux systems, said Rob Kraus, director of research at Omaha, Neb.-based managed security services provider Solutionary, a subsidiary of NTT Group.
“Because of the long history of Bash and how ingrained it is in almost every version of Unix and Linux that is out there, the exploitable footprint is very large,” Kraus told CRN. “This is just another potential avenue for inclusion in exploit kits, and organizations need to make sure that they have a firm handle on patch management process and patch management techniques.”
Bash can be called from other programs, including network vectors such as CGI, SSH and DHCP, according to the U.S. Computer Emergency Readiness Team, which issued an advisory Wednesday about the threat.
Major Linux distributions, including Red Hat, are beginning to issue patches to users, but early versions may not be fully vetted. Red Hat acknowledged in an advisory update that the patch was incomplete. Kraus said all solution providers are likely testing and deploying patches for impacted systems, as well as implementing detection signatures to identify any attacks in progress.
Intrusion prevention systems and next-generation firewalls can and should be updated with signatures to detect and block the threat, according to Martin Lee, a security analyst at Cisco Systems. Cisco and other firms are detecting attacks in the wild, Lee said in a blog post. Once exploited, the vulnerability gives attackers the ability to execute malware and conduct just about any kind of attack, including pivoting to other sensitive systems to steal data or denial-of-service attacks, Lee said.
“We have observed exploitation of the vulnerability in the wild,” Lee said. “We have indications that at least some of this activity is due to an automated malicious attack seeking to install DDoS tools on affected systems. However, due to the nature of this vulnerability, almost any tool or malware sample can be downloaded and executed.”
Andy Ellis, chief security officer at Cambridge, Mass.-based web content delivery giant Akamai, said his company was implementing patches and other measures to address the risk. In a blog post, Ellis said the widespread vulnerability poses a challenge for administrators because it could potentially impact so many systems and applications.
“As Bash is a common shell for evaluating and executing commands from other programs, this vulnerability may affect many applications that evaluate user input, and call other applications via a shell,” Ellis said. “The new vulnerability presents an unusually complex threat landscape as it is an industrywide risk.”
PUBLISHED SEPT. 25, 2014
Two years ago ago, tech writer Mat Honan wrote a blockbuster story for Wired, describing how a child got into his iCloud account and briefly ruined his life. You may have heard that the same thing recently happened to some very famous women, almost certainly using the same method. Apple is making it easy for you to be next. More >
By: Geoffrey A. Fowler – July 15, 2014 9:05 p.m. ET
Like many of you, I’ve been considering cutting the cord on cable TV.
Today about 19% of American TV households live without cable, according to market research firm GfK. Many holdouts are haunted by doubts: How will I watch live sports? Without HBO, how will I know why everyone is talking about some mother of dragons?
Going without cable—or at least with considerably less of it—is easier than you think. Last week, I sliced my bill from $212 to $75 without giving up the stuff I really watch. Yes, cable and satellite companies lock away some content for subscribers. But you don’t have to be an online pirate to see what you want. More >