Let’s patch FileZilla using System Center 2012 R2!

While patching Microsoft applications these days might be easy using System Center or WSUS, non-Microsoft applications usually get forgotten. With the vast majority of vulnerabilities being present in your non-Microsoft applications you can no longer simply take a guess at what to package up. How easy is it using a tool that has been specifically created for this problem? Let’s patch FileZilla 3.0.2.1 to 3.7.3

Out of date versions are a security issue

Out of date versions are a security issue

 

The process of patching using the Flexera Corporate Software Inspector is very easy, with it setup the data for the machine was already in the handy System Center plugin and asking to be updated:

SPS1

The SPS is a dynamic list, only showing you what your environment needs unlike a traditional catalogue

 

Using the wizard the process was as simple as “next, next, publish” and the package was created:

SCCMUpdates

Did you know you can also drive auto deployment rules?

 

Finally we deploy the package via System Center:

DeploySoftware

Deployment is no different to a Microsoft patch!

 

From here you use the built in configuration manager options to deploy the software (patch FileZilla), either by a deadline, or by when the end user wants it:

Ready to install

Deadlines and maintenance windows can be used like normal

 

And we are done!

FileZillaPatched

The process took only a few minutes!

 

If you would like to see more on how to patch FileZilla, including the wizard and also the huge database of products ready to be deployed, contact us for more information!

 

 

Update 1:

Below is the video of me conducting this, only 2 minutes long!

 

Are you patching effectively?

Patching is critical to keep your business secure, but many people think they can do it better manually. Even worse, when patching manually with no vulnerability scanning you never get an accurate picture of what needs to be secured on your network. Are you patching effectively?

Think you are doing a good job? Take one of our quick-scans and find out how you stack up, and then let us show you how you can do it better.

Australian Signals Directorate – “Security patching is key”. How compliant are you?

The Australian Signals Directorate (ASD) consider the timely deployment of application patches a core function in IT management. Security Patching is key to reducing an organisation’s vulnerability level on applications and operating systems.

In fact, the ASD currently rates application patching as one of the most effective security practices agencies can perform to mitigate targeted cyber intrusions.
Even so, we continually see organisations failing to implement a strategy to effectively manage this ongoing challenge.

QuickScan2

Did you know?
The majority of successful cyber-attacks use publicly known vulnerabilities for which a patch is available. This means that a good portion of these attacks could have been avoided if companies and organisations had used vulnerability intelligence to mitigate the risks.

Want to find out how vulnerable your organisation is?
Get a Quick Scan – we can tell you in just a few minutes how secure you actually are.
If you’d like to learn a bit more first, contact us for more information.

QuickScan5

Quickscan results showing the 3rd party application risk in your environment.

How can we help?
The Corporate Software Inspector from Secunia (now part of Flexera Software) is the intelligent 
solution to manage your security patching, enabling you to assess, prioritise and execute software vulnerability remediation to reduce risk. CSI tells you the when, where, what and how of security patching and alerts you you when a software vulnerability with an available patch is threatening your infrastructure, where it will have the most critical impact, what the right remediation strategy is and how to deploy it.

The Corporate Software Inspector lets your team know what to patch for maximum impact and consistent risk reduction. You get complete visibility of your systems, stay current and reduce the cost of your patch process significantly.

Drive-by downloads, being exploited without knowing

Imagine this, your employee is browsing the internet for recipe ideas for that night’s dinner, after a few different places they stumble upon the website of a well known chef with exactly what they want.

Just a few moments later you get a call, their machine is showing a well known ransomware landing page and the malware is currently making its way through your network drives encrypting your data. How did this happen? They never clicked any malicious looking emails, and they never browsed to any websites that weren’t reputable, and yet they have been hit with ransomware.

Fiesta EK attack paths

Fiesta EK attack paths

What has happened is a drive-by download, malicious exploit kits being quietly downloaded in the background and exploiting known vulnerabilities for software that has not been patched. Just simply by going to the website the script was actioned, the exploit kit downloaded and then the malware payload dropped onto the machine.

While this may sound like something that would only happen to people browsing ‘dodgy’ websites, keep in mind that just this year jamieoliver.com has been exploited three times with this exact method; February, March and May. As part of the exploit the ‘Fiesta EK’ was downloaded, which has been known to prey on vulnerabilities in unpatched versions of Flash, Silverlight, IE, Reader and Java. It has also been known to drop TeslaCrypt, a well known piece of ransomware that has been spawned off the previous ‘successes’ of the well known Cryptolocker.

FiestaEK

Script calling the Fiesta Exploit Kit to be downloaded

So how do you protect against these seemingly undetectable threats? Fancy IPS or IDS systems, antivirus or malware analysis systems?

No, the solution is much more simple than that; patch your software.

It really is that simple, by patching the vulnerabilities that these exploit kits use to drop the malware you close the loop and stop the exploit from being successful. In the case of the Fiesta EK patching your Microsoft vulnerabilities simply will not do anything to stop the kit, you MUST patch your third party as well.

emt distributes to APAC software from Secunia that specifically helps you do this, see more at https://www.emtdist.com/secunia/

emt, Secunia and Auckland University of Technology: a case study

With the university’s focus on innovation, third-party applications are prevalent across its IT infrastructure, which includes a wide variety of different platforms and operating systems.

Any of these applications may include a software vulnerability, which needs to be patched with an application update. But when multiple vulnerabilities compete for attention, it can be difficult… read more

Reward your hard work – Introducing Secunia Deal Registration

It’s no surprise the amount of work that goes into growing an opportunity with a customer from an idea or quick conversation, to evaluation, proof of concept and finally through to close. After the weeks or months of work that you put into the process the last thing that you want to happen is a competitor to come in and take that away from you. Wouldn’t it be nice to have a way to protect the hard work that you have put in, and also possibly gain an extra discount margin to make the sale even more lucrative to your business?

Strangely enough there is a way, introducing the “Secunia Deal Registration Program”:

Secunia_DealReg_Signature

The concept behind the program is simple in its design and yet provides a large help to your business as a partner trying to get the customer over the line. By registering an opportunity the partner can increase the discount margin and protect it from being won by a competitor. The opportunity can only be registered to one partner, which then leaves competing partners with a lower margin and hence helping secure the deal for you. The only requirement that needs to be fulfilled for the opportunity to be accepted is that it is not previously known to Secunia and you are an approved Silver Partner. Should you be successful in registering the deal, you will also receive deal registration approval for the renewal, further protecting the investment you put in!

Deal Registration benefits include:
1. Dedicated technical support and sales support for customer meetings
2. Special pricing support
3. Installation and product configuration support
4. Training
5. MDF funds (Gold partners only)

Head over to the FAQ for more information (see below) and as always feel free to contact myself or the team at emt for any further information.

 

https://www.emtdist.com/secunia/secunia-deal-registration/

https://www.emtdist.com/secunia/secunia-deal-registration-faq/

What’s Wrong with New Vulnerability Information?

When it comes to application vulnerabilities, information is everywhere. You can scan social media for the latest discoveries, keep up with what the research community is doing, or depend on vendors to keep you in the loop.

All this information lets you take charge and, once you hear about a new vulnerability, it can be tempting to rush into action. After all, the faster you can resolve the vulnerability, the lower the likelihood of it being exploited.

But slow down. Take stock. Because the most up-to-date information on vulnerabilities isn’t always as useful as it seems.

When now is too soon

The moment somebody uncovers an application vulnerability, they’re keen to share their findings widely. But in their eagerness to share, the slippery slope of misinformation begins.
The problem is that the initial reports of a vulnerability could:

  • Refer to pieces of code that are never called
  • Refer to bugs and errors that don’t create risk – they’re not vulnerabilities in the true sense
  • Depend on the existence of another vulnerability
  • Not apply to all versions, or all instances, or all combinations of software in their varied environments

But the security community doesn’t wait. It’s been taught that reaction speed is everything. So vulnerabilities are reported, then they’re repeated. One inaccuracy – one incorrect detail – is shared endlessly in varied articles and reports.

And you make your decisions based on this information.

The cost of inaccurate or incomplete information

Inaccurate reports fill your workload with false positives to chase. You begin spending your time on things that aren’t relevant to you, or don’t apply to your environment.

Mitigating your exposure could mean testing and patching. Taking nodes off line. Changing several applications in line with the one that’s supposedly vulnerable. It’s widespread disruption, and it comes at a huge cost.

And all the time you’re prioritising those potential risks, you’re ignoring the ones that really matter.

VENOM – critical risk or just another vulnerability?

In May 2015, CrowdStrike discovered VENOM (CVE-2015-3456) – a vulnerability in the virtual floppy drive code used in common virtualisation platforms.

This vulnerability affected a huge number of platforms and, as a result, became big news across the IT security sector. Based on news coverage, social media, and the overall reaction of the community, there was a sense that almost everything needed to be patched – fast.

However, more research made things seem less severe.

Secunia’s Threat Research Team conducted extensive analysis on the vulnerability. After investigation, it became clear that an attacker would need to be on a console or physically at a server to exploit the vulnerability.

The vulnerability was serious but, making things more nuanced, the actual risk posed was comparatively low. And that’s why detailed analysis is so important when you’re about to make expensive decisions.

Focusing your attention on legitimate, significant threats

Informational reports can raise the alarm. But it’s only further investigation that lets you make the right decisions about your response.

Secunia’s analysts don’t just repeat reports. They don’t rush into responding before careful consideration.

The team only releases advisories after vulnerabilities are verified. They assign every vulnerability a clear criticality rating, which can be used to prioritise your patching. And they present every advisory in the same clear and consistent format, that’s easy to understand and full of practical insight.

So that’s why with Secunia VIM you get all the information you need – not just to act fast, but to take the action that’s most appropriate.

Get Verified Vulnerability Intelligence with Secunia VIM

How can you boost the capabilities of SCCM?

Microsoft System Center Configuration Manager (SCCM) is great for patching. It’s the most effective way for you to manage devices across your network, enforce your policies, and apply updates in a swift, automated fashion.

So it’s only natural to think that, with Microsoft SCCM up and running, you’re covered against application vulnerabilities.

But that’s an assumption that leaves your organisation exposed.

77% of vulnerabilities in the 50 most popular applications on private PCs affect third-party applications

According to the Secunia Vulnerability Review 2015, 15,435 vulnerabilities were discovered in 2014. But these weren’t all in Microsoft products – they were spread across 3,870 products from 500 different vendors.

In reality, 77% of the vulnerabilities uncovered in the 50 most popular applications on private PCs in 2014 affected non-Microsoft applications. So patching first party software with SCCM only solves part of the problem.

Of course, you’ve already spent time and money implementing SCCM. It’s a familiar tool that you use regularly, but it took time to learn its nuances and start using it efficiently.

Fortunately, you can leverage this existing investment and expertise to secure third-party applications right alongside Microsoft ones.

Using SCCM to find third-party applications

One of the hardest – and most time-consuming – parts of effective vulnerability management is achieving full visibility. Until you know the third-party applications that are used across your entire infrastructure, you can’t hope to check for vulnerabilities and patch them where appropriate.

SCCM includes a robust software inventory feature that can be used to scan for third-party applications. And when this is paired with an SCCM-integrated patch management platform, the results can form the foundation of your entire vulnerability work flow.

Secunia CSI takes data from SCCM’s software inventory and assesses the security patch status of more than 20,000 programs, reconciling SCCM’s knowledge of your network with Secunia’s insight into third-party software, vulnerabilities, and patches.

Bring third-party into Patch Tuesday

While Microsoft attempt to rebrand it as ‘Update Tuesday’, Patch Tuesday is a long-standing part of the IT administrator’s routine. It’s when Microsoft release new patches – or updates – for its software, fixing known security vulnerabilities.

Thanks to its SCCM and Windows Server Update Services (WSUS) integration, Secunia CSI can make third-party patching a seamless part of this established routine.

So, using a familiar interface that doesn’t slow you down, you can:

  • Take stock of the applications across your network
  • Package patches for distribution
  • Deploy patches to every instance of an application

All in record time – and in a single downtime window.

An integrated platform for third-party patching and vulnerability scanning saves time, energy, and – as a direct result – money. So while SCCM doesn’t cover all bases out of the box, you can leverage your existing investment to keep your network defended against the entire spectrum of vulnerabilities.

Learn more about Secunia CSI here.

Pacnet reveals cyber breach after Telstra acquisition

In April this year Telstra finished its acquisition of Pacnet, giving it access to Asia’s largest privately owned submarine cable network as part of strategy to expand into Asia.

According to news reports it appears that Telstra received a surprise signing bonus when the purchase was completed – notification that the Pacnet corporate IT network had been breached.

The itnews article claims that this wasn’t discovered during due diligence as Telstra and the Pacnet were competitors at the time and it only had limited access to information.

Access to the Pacnet internal network was gained through a SQL injection attack. SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

Attacks of this nature fall under strategy #24 Server Application Hardening ‘e.g. databases, web applications, customer relationship management, finance, human resources and other data storage systems.’ in the Australian Signals Directorate (ASD) Top 35 Mitigation Strategies.

Telstra is now left with the task of advising Pacnet customer about the breach.

Although there are no mandatory breach reporting in Australia although there is strong support for it. In October 2013, the Office of the Australian Information Commissioner (OAIC) released survey findings of community of attitudes towards privacy, which showed that 96 percent of respondents want government agencies and businesses to notify them if their personal information is lost or compromised.

Earlier this year the parliamentary joint committee on intelligence and security (PJCIS) recommended that the Government introduce a mandatory data breach notification scheme before the end of 2015. Australia’s privacy commissioner, Timothy Pilgrim, has highlighted telcos bad track record in Australia highlighting Telstra’s 2011 leak of 734,000 customer details and a further leak of the details of 15,775 customers in 2013.

 

emt Distribution represents Acunetix in Australia and New Zealand. Acunetix was founded to combat the alarming rise in web attacks including SQL Injection and Cross-Site Scripting among others.

Critical Vulnerabilities You Haven’t Read About

The issue used to be understanding that applications could be vulnerable. Today, you know that attackers can exploit your software to gain wider system access.

That’s largely in part to headline incidents where major vulnerabilities were discovered in common applications. From VENOM to Code Red to Heartbleed, more and more vulnerabilities are picked up by specialist media. Some of the biggest even manage to hit mainstream press.

But while knowing that vulnerabilities pose a huge danger is a good start, it’s actually not that useful. It just leads to a bigger question – what on earth do I do now?

When vulnerabilities hit the big time

Forget celebrities and footballers – the mainstream press is increasingly concerned with our network security. After all, we’re in a world where everything is connected. From phones to thermostats to fridges, the Internet of Things means everything can be networked.

And in a digital age, digital crime is just as important as any other form.

Take ShellShock. In 2014, open source software developer Stephane Chazelas discovered a bug in the Unix Bash shell that could be exploited to run arbitrary code. As a result, people could execute malicious commands on any device where Bash is used – everything from Linux web servers to Apple laptops and smartphones.

Having gone unnoticed in Bash since 1993, this was big news. So when Chazeles disclosed the bug he had uncovered, it was detailed everywhere from specialist IT security websites to The Huffington Post and The Guardian.

With even a cursory eye on the latest news, you couldn’t help but know about ShellShock. So it was easy to get to work, investigating where Bash was present across your network and applying the relevant patches.

But, widely reported, ShellShock was the exception to the rule.

Meet CVE-2015-0332

You’re probably familiar with ShellShock. You can’t have missed Heartbleed. But without celebrity status, CVE-2015-0332 hasn’t hit the headlines.

SA62621 Adobe Flash Player /AIR Multiple Vulnerabilities

SA62621 Adobe Flash Player /AIR Multiple Vulnerabilities

Despite a less catchy name, this vulnerability is serious. It affects Adobe Flash Player and Adobe Air – popular, commonplace applications that most of us are running.

According to Secunia’s detailed vulnerability advisory, the vulnerability relates to a series of exploits that could be used to corrupt memory, and then used to run arbitrary code.

Like ShellShock before it, CVE-2015-0332 represents a huge risk. Thankfully, it’s easily fixed with an update to the latest Adobe Flash Player and Adobe Air versions.

But CVE-2015-0332 hasn’t been reported. The Guardian hasn’t given it a glance. The Huffington Post hasn’t posted.

So how can you expect to know about the latest vulnerabilities as soon as they happen, let alone resolve them quickly?

How do you check for critical vulnerabilities?

The security community has a collaborative approach to disclosing and logging all vulnerabilities as they’re discovered. Meanwhile, most reputable software vendors aim to keep customers informed.

So, to keep up with the latest vulnerabilities, you could:

  • Use an open source vulnerability database like OSVDB – manually checking every application you use for vulnerabilities. But how often? Every hour? Every day? Every week?
  • Sign up for updates from every third-party software vendor you use – and trust that they’ll keep you updated about vulnerabilities as soon as they happen
  • The problem is that this doesn’t leave a lot of time for everything else you need to do. Staying on top of application vulnerabilities requires a significant investment of time.

And even if you can spare the time, this approach depends on a 100% accurate view of all the third-party software that’s installed across your entire network.

The advantage of specialist vulnerability intelligence

It’s your job to eliminate application vulnerabilities through diligent patching. But it’s also your job to do lots of other things.

Secunia’s threat research team is dedicated to assessing reported vulnerabilities, verifying the nature of the exploit, assigning a clear criticality rating, and publishing all this information to the IT community. They keep on top of the latest threats so you don’t have to.

And with Secunia CSI, you get the advantage of Secunia’s expert vulnerability intelligence along with an accurate software inventory and packaging and deployment through Microsoft System Center Configuration Manager (SCCM) and Windows Server Update Services (WSUS) integration.

So you always know which third-party applications you’re running. And you always know about the latest vulnerabilities – even if you don’t recognise their names.

 

emt Distribution is the regional distributor for Secunia. Secunia is recognized industry-wide as a significant global player, within the IT security ecosystem, in the niche of Software Vulnerability Management. Our award-winning portfolio equips corporate and private customers worldwide with Vulnerability Intelligence, Vulnerability Assessment, and automated Security Patch Management tools to manage and control software vulnerabilities across networks and endpoints.