Σάββατο 28 Φεβρουαρίου 2015

Windows Server 2003 - The End Is Near


In July 2015 Microsoft will be ending Extended Support for Windows Server 2003. What this means is that standard, packaged support offerings will no longer be available and also that Microsoft will stop issuing security patches for this product. Thus, organizations will be exposed to significant risk if they stay on the Windows Server 2003 platform beyond the termination date. Organizations need to start planning for a migration to Windows Server 2012 R2 asap. This pose a significant opportunity for organizations to take a closer look at their entire IT infrastructure, because of the significant evolution in the past 10 years in all IT technology layers.

While organizations can potentially negotiate custom support agreements with Microsoft to provide security patches beyond the cut-off date, this will inevitably raise support costs significantly. Microsoft will stop issuing security patches for Windows Server 2003 when Extended Support ends. This will mean that applications and services built on Windows Server 2003 will be out of support and also out of compliance unless they are migrated to a newer operating system platform.

The first step is to get an overview of all the applications that are running on Windows Server 2003. Once the assessment is underway, the applications need to be prioritized, and a plan devised for migration. This might take quite some time, especially in the development and testing phases. The critical issues are time, skills and budget, as developing and testing a new system architecture and application design is not a trivial task.

The biggest risk from staying on Windows Server 2003 is that Microsoft will no longer provide any security patches and updates to address vulnerabilities that are detected for operational systems. This is not a trivial fact, as Microsoft still issues double digit numbers of critical patches every year under the standard support model. Consequently, Windows Server 2003 installations will increasingly become a target for hackers as unpatched vulnerabilities pile up. Running on unsupported software will also mean that European organizations will be out of compliance with standard industry regulations around data protection or standards such as the PCI DSS. This in turn will restrict their ability to do business effectively.

Next, evaluate the technology options for a new IT architecture. Points to consider include new server hardware platforms, current server operating systems, a potential move from physical to virtualized environments such as Hyper-V, and the data protection and recovery products to ensure resilience and recoverability of the infrastructure.

Once you have made your technology choices, you need to design your new IT infrastructure and plan the system migration, including migrating from physical to virtualized environments. Prioritize those services that
have to be moved, and develop a plan to mitigate risk for workloads that do not need to be migrated.

Plan the migration proccess and elaborate fall-back plans. Some data protection and recovery products can actually help with the migration from physical to virtual infrastructure and take out risk from the migration process by ensuring that you can fail back to an older version of the infrastructure, application, and data if something goes bad.

Do not forget to test your applications in the new environment to verify that everything works as it should. This step is tricky and might take longer than you expected.

Leaving migrations too late can leave you exposed to substantial business risks, whereas acting now enables you to move through the migration process in due time. This is your opportunity to move to a modern, efficient, and high performance infrastructure that will position your organization well for the next decade.

Σάββατο 21 Φεβρουαρίου 2015

Desert Falcons


The action group Desert Falcons, a digital espionage network that targeted many organizations and high-profile individuals from the Middle East, was revealed during the Kaspersky Lab Security Analyst Summit in Mexico. Analysts consider this unit as the first known Arab group of "digital mercenaries" who have developed and executed integrated digital espionage operations against companies.

The list of victims includes military and governmental organizations, in particular, officers responsible for tackling money laundering. Also, the attack targeted executives from the fields of health and economy, leading media, research and educational institutions, energy providers and utilities, activists and political leaders, private security companies and other individuals that hold considerable geopolitical information.

The group is active for at least two years. Team Desert Falcons began to develop and consolidate the operation in 2011. However, the start of the key action of the group and infections through malware mounted in 2013. The peak of activity recorded in early 2015.

The vast majority of targets located in Egypt, Palestine, Israel and Jordan.

Apart from the Middle East, which were the original objectives, the team Desert Falcons operates outside this range. Overall, its members have been able to attack more than 3000 victims in more than 50 countries worldwide, having stolen more than one million records.

Attackers use malicious tools they have developed themselves, to launch attacks on Windows computers and Android devices. The Kaspersky Lab specialists have many reasons to believe that the mother tongue of the Desert Falcons is Arabic.

While the attack vector appears to act in countries such as Egypt, Palestine, Israel and Jordan, many victims were also found in Qatar, Saudi Arabia, the United Arab Emirates, Algeria, Lebanon, Norway, Turkey, Sweden, France, the United States, Russia and other countries.

The main method used by the group Desert Falcons for transferring malicious payload was spearphishing via email, messaging and social media messages in chat. The phishing messages contained malicious files (or link leading to malware), which imitated legal documents or applications.

The Desert Falcons team uses various techniques to lure victims and forced them to carry out malicious files. One of the most typical techniques used by the group is the so-called «Right-to-Left Override». This technique takes advantage of a special character in Unicode, to reverse the order of characters in the name of a file, hiding a dangerous extension in the middle of the name and putting a false file extension, which looks harmless, near the end of the file name. Using this technique, malicious files (.exe, .scr) look like an innocuous document or file PDF, and even careful users with good technical knowledge can be dragged and "run" these files. For example, a file with extension ".fdp.scr" will be presented as ".rcs.pdf".

After successful "infection" of the victim, team members Desert Falcons use one of two different backdoors, either their main Trojan or DHS Backdoor, which seems to have been developed from the beginning and is in constant development. The Kaspersky Lab experts managed to identify more than 100 samples of malware used for attacks.

Malicious tools used have fully backdoor functionality. So they can take screenshots, steal keystrokes, make upload or download files to collect information about all files on hard disk or USB connected devices of a victim, stealing passwords stored in the system registry (Internet Explorer and Live Messenger) and make recordings. The Kaspersky Lab experts were also able to detect traces of the activity of a malicious software, which seems to be a backdoor for Android, with call interception capabilities and SMS logs.