Anniversary

Ready for me to go old school? How about SQL Slammer-level old school? More than 13 years after it was first found scurrying around the internet, the SQL Slammer worm can still be found propagating in the wild, albeit minimally, according to IBM Managed Security Services (MSS) data.

But why does such an old threat keep making the rounds more than a decade after its discovery? Some older threats never die because they’re easy to exploit. There’s always the chance that a vulnerable system can be compromised by tested and true bugs.

Shellshock Surge

While SQL Slammer is a dated threat that only affected Microsoft SQL server 2000, we have much more serious and widespread threats following in its footsteps.

Last Saturday marked the two-year anniversary of one of the most infamous bugs of 2014, Shellshock. A recent surge in attacks observed by IBM Managed Security Services suggested the threat is still prevalent.

From Zero Day to Present Day

A 20-year-old vulnerability (CVE-2014-6271) in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems, sparked the mobilization of attacks known as Shellshock beginning in late September 2014. This first vulnerability gave way to the disclosure of several additional vulnerabilities affecting the UNIX Shell within a short period (CVE-2014-7186 and CVE-2014-7187), at which point many realized that this was a threat to be reckoned with.

Right at the onset, we observed a significant increase in focused attacks leveraging these vulnerabilities — over 2,000 security events within 24 hours of the Shellshock bug disclosure. To get an idea of the magnitude of this activity, there were just over 7,500 Shellshock security events for the entire month of August 2016, according to IBM MSS data.

When a zero-day vulnerability surfaces, especially a high-profile one that can affect many systems, the corresponding exploit is usually disclosed promptly. With Shellshock, an exploit targeting the first vulnerability was publicly disclosed a mere 28 hours after the zero-day vulnerability emerged.

As news of this vulnerability and its ease of exploitation spread, the number of attackers opting to leverage and exploit it increased tremendously. Attacks came in waves from different source IPs and originating countries, rising in quantity every hour.

Shocking Numbers

As though in anticipation of its anniversary, Shellshock attack activity recently surged to levels not seen since 2015. As of Sept. 22, the month of September accounted for more than 26 percent of the total activity recorded in 2016.

A little over 70 percent of the attack traffic originated in the U.S., whereas another 18 percent comes from Australia. Top targets of these attacks, according to IBM MSS data, include organizations located in U.S. (26 percent), Japan (18 percent), India (16 percent) and Brazil (11 percent).

Shellshock anniversary

Retrospective Perspective

Before Shellshock had us scrambling to patch our systems in 2014, we were running for the hills because of another vulnerability. Heartbleed, which affected OpenSSL, a popular open-source protocol, was all over the news.

Heartbleed enabled attackers to remotely exploit a vulnerability to read system memory contents without needing to log on and authenticate a valid identity to a remote server. Successful exploitation could allow attackers to retrieve private keys, passwords or other sensitive information from servers they were not authorized to access.

Shellshock 2

Although a formidable threat when it first surfaced — IBM MSS data revealed over 1.8 million Heartbleed-based attacks by the end of the first month — Heartbleed failed to exhibit the same staying power as its system-crippling cousin, Shellshock.

As shown in the figure above, in the past year, Heartbleed activity indeed paled in comparison to Shellshock, failing to reach even 15 percent of the total number of Shellshock attacks. Even as Shellshock attacks nosedived in November 2015 and continued to wane as we entered 2016, it still managed to maintain its stamina, averaging nearly 7,900 attacks per month throughout 2016.

Who Is Still Riding the Shellshock Wave?

Per IBM MSS data, as of mid-September, the U.S. is the leading country from which Shellshock attacks originate, making up 71 percent of the total in 2016. Approximately 1,800 unique source IPs based in the U.S. were responsible for these attacks. China is in a distant second, making up 8 percent of the Shellshock attacks, followed by Australia and Italy at 6 percent and 3 percent, respectively.

Shellshock 3

Who Is Still Suffering From Shellshock?

The U.S. is also the leading country in terms of organizations targeted by Shellshock, making up 46 percent of the total in 2016. Although Japan was at the top when the threat first materialized, it ranks second in 2016, making up 24 percent of the total on a global scale.

Shellshock 4

In terms of industries most targeted, the information and communication sector, including telecommunications companies as well as those that provide computer programming and consulting services, topped the list in 2016. They sustained over 46 percent of the Shellshock attacks. This makes sense since many major organizations in this space run Linux-based systems in their IT infrastructure and environments.

Shellshock 5

Financial services ranked second at 26 percent, followed closely by manufacturing in third at 16 percent. The finance sector began adopting Linux-based platforms over a decade ago, with early adopters including the Chicago Mercantile Exchange in 2004 and the New York Stock Exchange in 2007. The pervasiveness of the operating system in this sector makes it an attractive target.

UNIX systems, which employ the Bash shell, are also perhaps more prevalent in manufacturing versus other industries. ICS and SCADA hardware might also have a basic UNIX-like firmware running on the device that can’t be easily updated due to special constraints. That could lead to outdated vulnerable services such as SSH, OpenSSL and Apache running on critical devices.

Additionally, the large discrepancy in Shellshock activity observed in information and communications, financial services and manufacturing versus other industries may point to differences in patching practices among those verticals.

Make It Go Away

We wish we could wave a magic wand and make threats like Shellshock go away. But it’s not so simple, unfortunately. Like stains, some cyberthreats are persistently visible, and Shellshock seems bent on sticking around.

So how do you address this issue? Apply the appropriate update for your system. Failure to apply patches and fixes leaves your organization at risk of Shellshock attacks. Timely patch management is vital in organizations of any size. However, depending on the complexity of your environment, this is easier said than done.

Security intelligence and data analytics tools allow your organization to identify the greatest vulnerabilities and prioritize patching, keeping your systems patched and up to date. Virtual patch technology can provide an additional layer of protection. While vendor patches are a first line of defense, protocol analysis, which is incorporated in IBM Security Network Intrusion Prevention product offerings, can provide an additional layer to protect against these types of attacks. In fact, IBM has been helping to protect customers from Shellshock and similar attacks since 2007.

Let’s hope this upward trend is fleeting, and next year there won’t be any reason to publish an anniversary blog.

To learn more about other older attacks that are still successful, check out the white paper “Beware of Older Cyber Attacks.”

Read the White Paper to learn more about older attacks


Security Intelligence

Windows 10 Anniversary Update New FeaturesA year has passed, and the new, improved Microsoft Windows is here, bringing new features and an old dilemma: is it wise to upgrade your PC or tablet to the latest version of Windows immediately? Here’s a list of features that would make you think twice about your decision.

In recent years, Microsoft has been on a roller coaster ride with its client operating systems, always going up and down. Popularity-wise, it’s been a “tick-tock” pattern: every other major release has gotten generally positive reviews, while the ones in between were hated by experts and users alike.

Windows XP was a huge hit with consumers and businesses alike, maintaining its image of a reliable operating system up until today, and is still in use in many enterprises, although support ended two years ago. XP’s successor Windows Vista was disliked by many, suffering from driver incompatibilities and performance issues, although it offered a slick, sleek, beautifully designed interface. Windows 7 came as a welcome relief to many Vista users and was eventually adopted by most companies and IT professionals as a stable platform you could rely your business on.

Desktops from Windows XP, Windows Vista, Windows 7 and Windows 8

Desktops from Windows XP, Windows Vista, Windows 7 and Windows 8

Windows 8 wasn’t nearly so well-received, mostly due to the new user interface, designed primarily with touch devices in mind. It was clunky and difficult to use with a traditional keyboard and mouse, while the removal of the beloved Start Menu incited a minor rebellion among the faithful Windows users. The 8.1 update attempted to mollify the complainers and made the OS more usable, but many weren’t satisfied, and announced they’ll be waiting for the next version to upgrade existing computers.

And they finally got it… sort of…

That brings us to Windows 10. Released in the summer of 2015, it finally struck a balance between the traditional desktop interface and touch-friendliness for tablet users – not an easy feat, considering the very different needs. Specifically, Windows 10 brought back the Start menu, in a new and mostly better form.

Now the live tiles, that once lived only on the full-screen Start Screen, are accessible through the Start button from the desktop, integrating them into the traditional user experience instead of isolating them on a separate “page.” You can have no tiles or many, and arrange and size them however you like. The way I have mine set up, I can get a quick view of the weather, stock market, headline news, Microsoft Health data, mail and calendar appointments right there with one click of the Start button. It somewhat (but not completely) replaces the desktop gadgets that I adored in Vista and Windows 7, and which could be added back even to Windows 10 with a program such as 8GadgetPack.

Windows 10's Windows Hello: Photo credits: Microsoft

Microsoft included a number of other improvements in Windows 10, such as virtual desktops, something Linux users have had for years, or the Edge web browser, which started as sort of a replacement for the much criticized Internet Explorer and is now grown to be very useful and has become my browser of choice. There’s also Windows Hello, which still delights me after all this time whenever I sit down at my Surface and it recognizes my face and logs me in, with no password or PIN required. There are numerous other security enhancements, including automatic encryption of sensitive data and Device Guard.

An update a day keeps the critics away

As good as Windows 10 was, and it was very good, it still wasn’t perfect. And on the one-year anniversary of its release, Microsoft started rolling out an Anniversary Update edition, designed to address some of those places where the OS was still a little rough around the edges, and to improve some of the already-excellent features.

The upgrade process was fast and smooth. It took only about 40 minutes, including the download. There were a few things that had to be reconfigured afterward. Most notably, the mentioned Windows Hello didn’t recognize my face on first logon. I had to use my password to get in and then re-train it; after that, it worked flawlessly again. Speaking of Hello, the upgrade made it even more functional. Now we’ll be able to use it not only to log onto Windows, but also for signing into web sites and apps – if they support it.

Another potentially very cool new feature on the authentication front is the Companion Device Framework that will allow for unlocking your computer with your smart phone or fitness band. I’m a big fan of my Microsoft Band and hoping this capability is included in the Band 3 when it’s released. It would be great to have wearables authentication for certain web sites, as well. I use multi-factor authentication for some sites and the problem is that my phone, which the site calls or sends an SMS to authenticate, isn’t always nearby, whereas my Band is always on my wrist.

Surprising feature stars and discreet interface design heroes

The interface looks mostly the same, but some things work differently. The Start menu now lists all of your apps instead of lumping them in an “All Apps” link. Your profile, Windows Explorer, Settings and Power controls are moved to the bottom left, and there are also some subtle changes to the taskbar, as the Action Center is moved to the far right corner. I use my Surface with a docking station and four external monitors, and now the time appears on the taskbars of all the monitors, not just the main one. Again, small but useful. Click the time on the taskbar, and you’ll get not only the clock and monthly calendar, but also a list of your day’s events.

Windows 10 Anniversary Update's Interface; Photo credits: Microsoft

The surprising star of the Windows 10 show is Cortana, Microsoft’s voice-enabled personal assistant. It (she) was introduced last year and has since been released in Android and iOS versions. I tried it when I first started using Windows 10, but found it to be a little buggy, or maybe she just didn’t understand my Texas accent. A few months ago I tried again and found it to be improved, but now, after the anniversary update, Cortana is my new best friend.

I can access her from the Lock screen, but more important, since I have her installed on my Galaxy Note phone, she pushes my phone notifications to my Surface, where they appear in the Action Center. I love that kind of seamless integration. So far she hasn’t made even one mistake in transcribing what I say, and she responds via voice to many more of my questions, instead of just sending me to a web site that answers them.

She’s turning into a true digital assistant, able to remember things for me and make suggestions for actions I might want to take, or tell me if two of my appointments overlap. Of course, some of these functions can pose privacy issues, so be aware of that.

IT pros also got their share of new features

Going back to the Action Center, now Windows 10 lets you prioritize the notification types, so that all those Facebook notifications won’t crowd out your calendar appointments or messaging notices at the top of the pane. This is a small thing, but helps a lot.

Let’s not forget the security and update enhancements. Defender will now do periodic updates without interfering with other antivirus software you have installed, while Enterprise edition users got Windows Defender Advanced Threat Protection and Enterprise Data Protection. Security-conscious folks will be happy to know that the reviled password sharing is gone from Wi-Fi Sense, which now keeps your Wi-Fi credentials to itself.

In the Windows Update settings, you can now configure Active Hours, during which Windows won’t restart to install updates. That’s a welcome change, particularly for those who were frustrated when Windows wanted to sign off in the middle of important work. If you’re using the computer during non-active hours, you can still defer the restart and set a new time. There are quite a few more significant changes in the Anniversary Update edition, including Hyper-V containers (available only in Pro and Enterprise editions), the nifty Windows Ink feature, and enhancements to the Edge web browser, so I’ll return to some of them in some future posts on this blog.

Overall, I’m pleased with the upgrade. Will it cause problems for some people? Undoubtedly – there are many different PCs with different configurations and different software installed, which can result in different upgrade experiences. We’ve upgraded four computers at our house, and my experience indicates that fairly new systems that were already running Windows 10 are likely to complete the upgrade without any problems, although some take much longer than others. If you do have problems, check out this article that addresses some of the common issues and how to fix them. And let us know in comments about your experiences with the Windows 10 Anniversary Update and the new features it brought to IT Pros.

You may also like:

  • How to get the most out of Resource Monitor in…
  • The top 10 IT tools every power user should have…
  • The top 33 Windows 10 tips, tricks, hacks, and tweaks


GFI Blog