Software Scalability

Software scalability refers to the ability of a software system to handle increased workload, additional users, or growing data volumes without sacrificing performance. Scalability is a critical consideration in software development, especially for applications and systems that are expected to grow over time. There are generally two types of scalability: vertical scalability and horizontal scalability.

1. Vertical Scalability (Scaling Up):

   - Vertical scalability involves increasing the capacity of a single hardware or software component, typically by adding more resources to a single machine.

   - Examples of vertical scalability include upgrading the CPU, adding more memory (RAM), or increasing storage capacity on a single server.

   - While vertical scaling can provide a quick solution, it has limitations, and there's a point beyond which further vertical scaling becomes impractical or cost-prohibitive.

2. Horizontal Scalability (Scaling Out):

   - Horizontal scalability involves adding more machines or nodes to a distributed system to handle increased load.

   - This approach is often associated with the use of technologies such as load balancing and distributed computing.

   - Horizontal scalability is well-suited for modern, cloud-based architectures and is a common strategy in microservices and containerized applications.

Key considerations for achieving software scalability include:

- Decomposition: Breaking down a monolithic application into smaller, more manageable components (microservices) can enable better horizontal scalability, as each component can be scaled independently.

- Load Balancing: Distributing incoming network traffic or application requests across multiple servers or resources helps prevent overloading a single server and ensures even utilization of resources.

- Caching: Implementing caching mechanisms for frequently accessed data can significantly reduce the load on databases and improve overall system performance.

- Database Scaling: Scaling the database layer is often a critical aspect of achieving overall system scalability. This can involve techniques such as sharding, replication, or using distributed databases.

- Asynchronous Processing: Utilizing asynchronous processing for tasks that don't require immediate responses can help improve the responsiveness of an application, especially during periods of high load.

- Elasticity: Designing systems to be elastic allows them to automatically scale up or down based on demand. Cloud computing platforms often provide auto-scaling features to achieve elasticity.

- Monitoring and Optimization: Regularly monitoring system performance, identifying bottlenecks, and optimizing code and infrastructure are crucial for maintaining scalability as the application evolves.

Scalability is not a one-size-fits-all solution and should be tailored to the specific requirements and characteristics of the application. It's an ongoing process that requires careful planning, testing, and adaptation as the software evolves and user demands change.

The Army Signal Corps: A History of Innovation and Excellence

Introduction

The United States Army Signal Corps has played a pivotal role in the military's success and efficiency for over a century. Founded in 1860, the Signal Corps has continuously adapted to the evolving demands of modern warfare and technological advancements. This essay aims to explore the success of the Army Signal Corps, highlighting its rich history, key contributions, and ongoing significance in the armed forces.

I. Historical Evolution

The history of the Army Signal Corps is a testament to its adaptability and resilience in the face of changing circumstances and challenges. From its inception during the Civil War to its current role in the digital age, the Signal Corps has evolved in response to the needs of the U.S. Army.

1. Civil War and the Telegraph

The origins of the Signal Corps can be traced back to the American Civil War. During this conflict, the use of telegraphy became an essential means of communication, allowing commanders to transmit orders, intelligence, and strategic information over long distances. The Signal Corps was established in 1860, making it one of the oldest branches in the U.S. Army. Its primary role during the Civil War was to provide vital telegraph and signal communication support to the Army.

2. Expansion and Growth

In the years following the Civil War, the Signal Corps expanded its capabilities to include telegraph, signaling, and aerial observation. It played a significant role in supporting military campaigns in the American West, including communication between forts, outposts, and supply lines. As the United States expanded its territories, the Signal Corps was crucial in maintaining communication in remote and challenging environments.

3. World War I and World War II

The Signal Corps continued to evolve during the 20th century. During World War I, it became an integral part of the U.S. Army's communication network, using new technologies such as the radio to establish wireless communication capabilities. These developments were further enhanced during World War II, where the Signal Corps played a pivotal role in coordinating troop movements, intelligence dissemination, and maintaining communication lines throughout the global conflict.

4. Cold War and the Space Race

The Signal Corps adapted to the demands of the Cold War, with a focus on secure and reliable communication systems. The development of satellite technology and the launch of the first communications satellite, Project SCORE, in 1958 marked a significant milestone for the Signal Corps. This era also saw the development of the Integrated Wideband Communications System (IWCS), which revolutionized long-range communication.

II. Key Contributions

The success of the Army Signal Corps can be attributed to its numerous and significant contributions to military operations, technology, and innovation.

1. Communication and Coordination

One of the primary roles of the Signal Corps has been to provide reliable communication and coordination within the military. Throughout its history, it has continually improved communication technologies, from telegraphy and radios to satellite and digital systems. These advancements have enabled commanders to make informed decisions, coordinate troop movements, and maintain situational awareness, ultimately enhancing the effectiveness of military operations.

2. Intelligence Gathering

The Signal Corps has been instrumental in gathering intelligence from the battlefield. Signal intelligence (SIGINT) involves intercepting, analyzing, and interpreting enemy communications. This valuable information has been critical in understanding the intentions and capabilities of adversaries, giving U.S. forces a significant advantage.

3. Innovation and Technology

The Signal Corps has consistently been at the forefront of technological innovation. From pioneering early radio transmission techniques to the development of advanced satellite communication systems, the Signal Corps has adapted to emerging technologies and embraced cutting-edge solutions. Its expertise in communication technologies has not only benefited the military but has also had broader implications for civilian telecommunications.

4. Cybersecurity

In the modern era, the Signal Corps has taken on the challenge of defending military communication and data networks from cyber threats. As the digital landscape has evolved, the Signal Corps has played a vital role in developing and implementing cybersecurity measures to safeguard sensitive information, maintaining the integrity and confidentiality of military communication.

5. Space Operations

The Signal Corps has also played a crucial role in space operations. It has been responsible for launching and managing military satellites, which serve various functions, including navigation, weather monitoring, and secure communication. These capabilities have enhanced the military's reach and effectiveness, both on the battlefield and in everyday operations.

III. Ongoing Significance

The Army Signal Corps continues to be a vital component of the U.S. Army, providing essential services and capabilities that are central to the success of military operations.

1. Modernization and Adaptation

The Signal Corps remains dedicated to modernization and adaptation to meet the evolving needs of the military. In an era of digital warfare and advanced technology, it is essential that the Corps continues to develop and maintain cutting-edge communication and cyber capabilities.

2. Cybersecurity and Information Assurance

As cyber threats become more sophisticated, the Signal Corps's role in cybersecurity and information assurance is increasingly critical. Safeguarding military networks and information is paramount to national security, and the Corps must continue to invest in and develop robust cyber defense capabilities.

3. Space Operations and Satellite Communication

Space operations and satellite communication are integral to the military's global reach and capabilities. The Signal Corps will continue to manage and expand these assets to ensure secure and reliable communication, navigation, and intelligence gathering.

4. Interoperability

The Signal Corps also focuses on ensuring interoperability with other branches of the military and allied forces. Effective communication with partner nations is vital in multinational operations, and the Signal Corps works to facilitate seamless information sharing.

Conclusion

The Army Signal Corps has a long and storied history of success, evolving to meet the changing demands of warfare and technology. From its origins during the Civil War to its current role in the digital age, the Signal Corps has consistently contributed to the success and effectiveness of the U.S. Army. Its achievements in communication, intelligence gathering, technology innovation, cybersecurity, and space operations have had a profound impact on military operations and national security.

As we look to the future, the Signal Corps will continue to play a crucial role in ensuring the military's ability to adapt, communicate, and coordinate effectively in an ever-changing world. Its commitment to modernization, cybersecurity, and space operations will remain central to its ongoing significance in the defense of the United States. The Army Signal Corps is a testament to the importance of adaptation, innovation, and excellence in achieving success in the armed forces.

Mainframe Modernization

Mainframe modernization is the process of updating and migrating legacy mainframe systems to more modern and flexible technologies. There are several common patterns and approaches for modernizing mainframe systems. These patterns aim to enhance agility, reduce costs, and leverage new technologies. Here are some mainframe modernization patterns:

1. Rehosting (Lift and Shift): In this pattern, the mainframe application is moved to a different platform without making significant changes to the code. It often involves moving to a cloud-based infrastructure or a more modern on-premises system. This approach can be relatively quick but may not take full advantage of modern capabilities.

2. Replatforming (Lift and Reshape): Replatforming involves moving the mainframe application to a new platform, such as a containerized environment or a serverless architecture, with minimal code changes. This approach allows for better scalability, performance, and cost-efficiency while maintaining the core application's functionality.

3. Refactoring (Code Transformation): Refactoring involves restructuring the mainframe code to be more modular and compatible with modern programming languages and architectures. It may involve breaking monolithic applications into microservices or redesigning the user interface for modern web and mobile platforms.

4. Rewriting: In some cases, a complete rewrite of the mainframe application is necessary. This pattern involves recreating the application using modern technologies and frameworks while preserving the business logic and data. It offers the opportunity to redesign the system with current best practices and technologies.

5. Service-Oriented Architecture (SOA) and APIs: This pattern involves exposing mainframe functionality as services or APIs. By doing this, other systems and applications can interact with the mainframe in a more standardized and efficient way. It's a step towards creating a more flexible and interconnected ecosystem.

6. Data Migration and Integration: Modernization efforts often involve migrating data from the mainframe to new databases or data storage solutions. Data integration technologies and techniques play a crucial role in ensuring data consistency and accessibility.

7. DevOps and Continuous Integration/Continuous Deployment (CI/CD): Implementing DevOps practices and CI/CD pipelines can help streamline the modernization process, making it easier to develop, test, and deploy changes to the mainframe applications.

8. Legacy Extension: In some cases, the mainframe system may not be entirely replaced. Instead, it's extended to work alongside new technologies. This allows for a gradual transition and coexistence of legacy and modern systems.

9. Cloud Adoption: Leveraging cloud services can provide scalability, flexibility, and cost savings. Modernization efforts may include migrating to a cloud-based infrastructure and utilizing cloud-native services.

10. Microservices and Containerization: Breaking down monolithic mainframe applications into smaller, manageable microservices and containerizing them can make the system more agile, scalable, and easier to maintain.

11. User Interface Modernization: Improving the user interface is often a key component of mainframe modernization. Legacy green-screen interfaces can be replaced with modern web or mobile interfaces, enhancing the user experience.

12. Legacy Application Integration: Modernizing mainframe systems doesn't necessarily mean replacing them entirely. Integration with newer technologies and systems can allow for a gradual transition and coexistence of legacy and modern components.

Choosing the right modernization pattern depends on the specific needs and constraints of the organization, the nature of the mainframe application, and the desired outcomes. It often involves a combination of these patterns and a well-thought-out modernization strategy.

Mainframe Modernization Patterns (such as Strangler Fig)

The Strangler Fig pattern is a specific modernization approach that can be used when dealing with legacy systems, including mainframes. It is named after the Strangler Fig tree, which starts as a vine and eventually envelops and replaces the host tree. In the context of modernization, the Strangler Fig pattern involves gradually replacing or rebuilding parts of a legacy mainframe system while leaving the core system in place. Here's how it works:

1. Identify Functional Modules: Identify specific functional modules or components within the mainframe application that you want to modernize or replace. These could be parts of the system that are outdated, causing performance issues, or are in need of new features.

2. Develop New Components: Develop new, modern components or services to replace the identified modules. These components are typically built using contemporary technologies and best practices. They are designed to fulfill the same functionality as the old modules but with improved performance, scalability, and flexibility.

3. Integration Layer: Create an integration layer that connects the new components to the existing mainframe system. This layer facilitates communication between the old and new parts of the application. Common approaches include using APIs, microservices, or data integration technologies.

4. Gradual Replacement: Over time, start replacing the identified modules or features in the legacy system with the new components. This can be done incrementally, feature by feature, or module by module. The legacy system gradually gets "strangled" as more and more of its functionality is taken over by the modern components.

5. Testing and Validation: Thoroughly test the integrated system to ensure that it functions correctly and meets business requirements. This includes validating data consistency and ensuring that the new components do not disrupt the overall system's operation.

6. Iterate: Continue this process iteratively, replacing additional modules and expanding the modernization effort. The pace of modernization can be adjusted to the organization's needs, budget, and risk tolerance.

Benefits of the Strangler Fig pattern:

1. Incremental Modernization: This pattern allows organizations to modernize their mainframe systems incrementally without the need for a massive, risky, "big bang" migration.

2. Reduced Risk: Because the legacy system remains operational throughout the modernization process, the risk of unexpected issues causing business disruptions is minimized.

3. Lower Cost: Costs are spread out over time rather than requiring a large upfront investment, making it financially more manageable.

4. Preservation of Business Logic and Data: The core business logic and data in the legacy system remain intact, ensuring continuity of business operations.

5. Flexibility: The organization can adjust the pace of modernization to accommodate changes in business requirements or technological advancements.

The Strangler Fig pattern is a well-regarded approach for modernizing mainframes and other legacy systems. It allows organizations to transition to modern technologies and practices while preserving the value of their existing systems and data.

Bi-directional Communication Between Databases

Enabling bi-directional communication between a database (DB) and an external application involves setting up mechanisms to allow data to flow between the two entities in both directions: from the database to the application and vice versa. This can be achieved through various methods, depending on your specific use case, database system, and technology stack. Here are a few common approaches:

1. APIs (Application Programming Interfaces):

   - Database APIs: Many modern databases provide APIs that allow external applications to interact with the database. These APIs often support both reading and writing data. Examples include JDBC/ODBC for relational databases and REST APIs for various database types. You would need to create API endpoints that handle different operations like querying, updating, inserting, and deleting data.

2. Change Data Capture (CDC):

   - CDC Tools: Change Data Capture tools capture and track changes made to the database. They can monitor changes in real-time or batch mode and then propagate those changes to external applications. This enables bidirectional communication by keeping the application updated with the latest changes made to the database.

3. Message Queues and Pub/Sub Systems:

   - Message Queues: Using a message queue system like RabbitMQ, Apache Kafka, or AWS SQS, you can have the database publish messages about changes or events. The external application subscribes to these messages and reacts accordingly, which can include updating data in the database.

   - Publish-Subscribe (Pub/Sub) Systems: Similar to message queues, Pub/Sub systems like Redis Pub/Sub or Google Cloud Pub/Sub allow you to publish events when data changes in the database. Subscribers can then receive these events and perform appropriate actions.

4. Stored Procedures and Triggers:

   - Stored Procedures: Some databases support stored procedures, which are pre-defined sets of SQL statements that can be executed by an external application. You can create stored procedures to handle data manipulation and interaction.

   - Triggers: Triggers are database-defined actions that are automatically executed when certain events occur, such as data insertion, deletion, or update. You can use triggers to initiate actions in response to changes in the database.

5. Websockets:

   - Websockets: Websockets provide a persistent, bidirectional communication channel between the application and the server, including the database server. This allows real-time updates from the database to the application and vice versa.

6. API Integration Platforms:

   - Integration Platforms: There are platforms like Zapier, Integromat, and Microsoft Power Automate that enable you to create automated workflows between different applications, including databases and other systems. These platforms often support bidirectional data flow.

When implementing bidirectional communication between a database and an external application, consider factors such as security, data consistency, error handling, and performance. Choose the approach that best fits your use case and technology stack, and ensure that the communication is efficient and reliable. Additionally, consider implementing proper authentication and authorization mechanisms to ensure that only authorized parties can access and modify the data in the database.

Creating a UTC Time Zone Offsets

Creating a UTC time zone offset table can be useful for mapping time zones to their respective UTC offsets. Here's an example of how you could structure such a table:

CREATE TABLE UTCTimeZoneOffset (
    time_zone_id INT PRIMARY KEY,
    time_zone_name VARCHAR(50),
    utc_offset_minutes INT
);
INSERT INTO UTCTimeZoneOffset (time_zone_id, time_zone_name, utc_offset_minutes)
VALUES
    (1, 'UTC', 0),
    (2, 'Greenwich Mean Time', 0),
    (3, 'Eastern Standard Time', -300),
    (4, 'Central Standard Time', -360),
    (5, 'Mountain Standard Time', -420),
    (6, 'Pacific Standard Time', -480),
    -- Add more time zones and their respective UTC offsets
;
-----------------------------------------------------------------------------------

In this example, the `UTCTimeZoneOffset` table stores time zone information along with their corresponding UTC offsets in minutes. You can populate this table with various time zones and their UTC offsets according to your needs. The `time_zone_id` column serves as the primary key for referencing specific time zones.

Keep in mind that this table is a simplified example and doesn't account for daylight saving time changes. If your application needs to handle DST changes, you might need to include additional columns to store information about DST rules or consider using more advanced techniques.
When querying this table, you can easily retrieve the UTC offset for a specific time zone:

----------------------------------------------------------------------------------
SELECT time_zone_name, utc_offset_minutes
FROM UTCTimeZoneOffset
WHERE time_zone_name = 'Eastern Standard Time';
-------------------------------------------------------------------------------

Remember that time zone data and offsets can change due to policy updates, so make sure to keep this table up to date to ensure accurate conversions and calculations.

ScrumMasters and Employee Retention

As we move into a projected period of prosperity a key job listing sites are employing 'poach' techniques to get individuals who are already gainfully employed to look at employer listings for other positions.

Sites like Zip, Indeed, Monster and others make their living by charging employers to post their job openings with the promise of supplying them names and profiles of potential hires.

It is only a matter of time when these sites match the skills of your team members with their job postings and start sending them emails with positions for their consideration.

As a ScrumMaster you are the first line of defense safeguarding the technical expertise of your teams from falling for those 'greener-grass' enticements.

The first thing I suggest you do is talk to the others in your company that fill a role of ScrumMaster and those who help create and maintain the work flow. Discuss quality of life enhancements that can be included when putting together sprint goals.

Sit-down with the human resource brain trust that oversee onboarding activities. An HR department professional can put an actual dollar amount as to the cost of finding and onboarding a new employee. They might even be able to help with ideas about those quality of life nuggets you are always looking for.

Use the numbers HR gave you as ammunition when you sit with managers and encourage them to sign-off on quality of life and job satisfaction ideas. Remember, the goal here is employee retention and we're using real-world carrot-and-stick techniques to keep our team members happy while at work.

Convince managers to invest in continuing education group plans like those offered by Lynda.com which have classes that extend beyond those for technology professionals.

It is the 'happy with my job' attitude by your team members that you as a ScrumMaster should have an eye on, you are the first line of defense to safeguard the brain trust of your teams and your company.

Shakespeare and the Hiring Process

Mid-summer of the year 2000, after the excitement of the Subway Series I was finishing up a programming project which took a set of code built by George Washington University called "Blackboard" and retrofit it to build NYUOnline.com.

It was a great gig, but the working conditions kinda sucked.  My desk was more-or-less in a hallway between the operations office and their sales office with the door leading to the elevator behind me. And it wasn't really a desk, it was one of those small reading tables you might find in a library. If I was going to use a reference book or read some of the Blackboard documentation I had to put my keyboard on top of the monitor.

The location was a perfect place to learn about 'The Big Apple'. It was on the 500 block of Broadway, NY which is between Houston (pronounced 'how-ston') and Canal Streets which put me right in the middle SOHO near the neighborhoods of China Town and Little Italy. It is this area of the city where at 5 p.m. the sidewalks are packed shoulder to shoulder with people trying to get to their train or bus so they can go home.

Regardless of the working conditions I had to stick-it-out, I rented a house on Staten Island having made the move from Taylorsville, NC.

At the end of 2000 the "dot.com" bubble was about to burst and NYU decided to take the endeavor in-house, reducing the funding. When they had released half of their sales and operational staff I saw the writing on the wall and went to Monster.com to find another ColdFusion position in New York City.

I had two job offers fairly quickly. ColdFusion programmers who can also do database work (now called "full-stack" developers) were a rare breed back then. It was only a couple of days before I had two interviews both of which turned into job offers.

The first was MarthaStewart.com. This was the time when Martha was at the top of her game and a full three years before she reported for a five-month term in federal prison for lying to federal investigators. They had a large staff working on her web presence, the offices were nice and fully decorated as an homage to Martha with pictures of her and food too pretty to eat.

The other was LAWTRAC.com. Their offices were on the eleventh floor of an office building on Montague Street in Brooklyn.  Here I would be the only programmer taking an older application and converting it to a web-based offering.

With both offers being exactly the same dollar wise the choice was easy. I went to work for LAWTRAC where I would be 'the guy' with, more-or-less, a free hand to simply develop.

For the next fourteen years I was 'the guy'. Not only did I do all the application programming, but I designed the database, made the hosting and delivery decisions, added modules and functionality that no one in our industry of matter management software for corporate legal departments had or were even close to having.

I was in Hog's Heaven, working most of the time from my house on Staten Island, then moving to Brooklyn after a stabbing incident (another story) and finally to a neighborhood on Long Island called Carle Place.

I was fully engulfed in ColdFusion and database programming and the world of corporate legal needs and using the programming to meet those needs. I traveled the country doing product demos, working with customers, tradeshows and had speaking engagements on both corporate legal data management and ColdFusion programming techniques.

By 2009 we had hired two additional programmers. One had a focus on creating custom reports for clients and the other's forte was writing the data exchange packages so the legal and financial data could talk to other programs.

Life was great - I was THE big fish in a little pond, making great money and had earned five-percent ownership in the company, a reward for sticking around during the lean times when the company was struggling.

By the time we received our buy-out offer from Mitratech and Vista Equity Partners the software industry had completely recovered from the 'Dot.com' downturn. This recovery period ushered in more structure to the methodologies software companies were using to produce their products. The older method called "Waterfall" turned to piece-meal structure called "Agile". The industry incorporated things called Product Managers who worked with the clients to identify needed changes to continue to meet client needs. The Agile methodology also used positions called Scrum Masters who took the needed changes and broke the requirements down so the changes could be done in a structured, more modular method.

A far cry from what we at Lawtrac were doing. After all, with a programming staff of three we didn't need all that additional overhead because I was doing all the things Product Managers, Project Managers, and Scrum Masters were doing. And we were doing fine, we had clients like Oprah, United Technologies, all the major oil companies, health care equipment providers, Federal Express, even the American Bar Association used our software to track their legal matters.

The American Bar Association, getting them as a client was like getting the contract to provide the candles to the Vatican. To this day I don't understand why the new owners haven't leveraged that to boost their sales.

Mitratech is a 'best practices' company using the Agile method to produce software. So quickly I had to adapt; I took classes on Lynda.com, bought books from Amazon and by February of 2014 I was up to speed and had brought the Lawtrac development and support staff up to speed as well.

I realize now that during the time I was the 'big fish' writing the software I did so in a bubble. My world consisted of writing code, caring for customer needs, speaking at conferences, doing trade shows, generally helping to enrich my meager five-percent ownership. The industry of software production had introduced business processes I was unaware of and the handing-over of Lawtrac source code to Mitratech felt like landing on the moon.

But I had helped to build a software company. I fought the good fight and afterwards walked away with enough money to buy and furnish a house in Austin, TX. I moved there thinking that I would fit in at Mitratech and could continue working on what was more-or-less my baby and help it grow even more.

I eventually had to resign because the person at Mitratech (VP of Product Development) removed me from the role of being a programmer who worked with clients to continue to build a better product had placed me in a role of doing nothing more than support ticket changes and handed the day-to-day programming tasks to complete strangers.

Three years have gone buy, I'm still trying to fit in where I can use the ColdFusion and database programming skills I have to earn a living.

But I'm finding that software companies don't want learned programmers. The conventional hiring practice follows the acronym "HIPLE" which stands for 'High Potential, Low Experience'. Recently I interviewed with a company which does corporate patent and trademark software (which would be right up my ally) called iRunWay and they actually said during the interview that they were concerned how I would fit in with a staff made up of all younger people. Two months ago, I meet with a company called CoStar; I had gone through four interviews before they meet me in person and I guarantee you that the only reason they rejected me was my greying hair. I'm still getting calls from recruiters about that position, CoStar had no other reason to reject me.

Since leaving Mitratech I've worked to bring my skills up-to-date taking courses for my Project Manager Professional certificate and Amazon Web Services Architect certification.

Getting past the young recruiter staff software companies employ too has been a challenge. If I remove much of my work experience and the dates from my resume so my age is not as apparent I get calls, but once they begin to since I'm over thirty those calls go downhill very quickly.

The whole experience reminds me of Shakespeare's St. Crispin's Day Speech, the ending….

And gentlemen in England now a-bed
Shall think themselves accurs'd they were not here,
And hold their manhoods cheap whiles any speaks

Of all the start-up companies in Austin, TX you would think that one would like to have a seasoned programmer who would bring a 'been there, done that' attitude. One that has experienced programming pit-falls many on their HIPLE staffs will make.

But I really think Shakespeare was onto something. A recruiter or young hiring manager looks over my resume they experience their own feelings of having missed out on something, like the birth of the Internet and that history that has lead up to what the industry is today.


@TheCoStarGroup
@iRunwayInc

ColdFusion is NOT Dead

Inside the Modern ColdFusion Platform

Fake Phone Apps Designed To Take Your Money

Apparently there is a very large increase in the number of smart phone apps that are designed to do one thing, steal your banking information and the rob you blind.

According to an alert published last week by the Federal Trade Commission these apps are designed to look like stores you already trust.

Source: https://www.consumer.ftc.gov/blog/theres-app-it-might-be-fake

Read the information on the link above - knowledge is power.

Cisco Releases Security Updates

Cisco has released security updates to address vulnerabilities in several products. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected system.
Users and administrators are encouraged to review the following Cisco Security Advisories and apply the necessary updates:

• Cisco Web Security Appliance HTTP Load Denial of Service Vulnerability cisco-sa-20160914-wsa (link is external)
• Cisco WebEx Meetings Server Denial of Service Vulnerability cisco-sa-20160914-wms (link is external)
• Cisco WebEx Meetings Server Remote Command Execution Vulnerability cisco-sa-20160914-wem (link is external)
• Cisco Unified Computing System Command Line Interface Privilege Escalation Vulnerability cisco-sa-20160914-ucs (link is external)
• Cisco Fog Director for IOx Arbitrary File Write Vulnerability cisco-sa-20160914-ioxfd (link is external)
• Cisco IOS XR for NCS6000 Series Devices OSPF Packet Processing Denial of Service Vulnerability cisco-sa-20160914-iosxr (link is external)
• Cisco IOS and IOS XE Software Data in Motion Denial of Service Vulnerability cisco-sa-20160914-ios-xe (link is external)
• Cisco IOS and IOS XE Software IOx Local Manager Cross-Site Scripting Vulnerability cisco-sa-20160914-ios (link is external)
• Cisco Carrier Routing System IPv6 Denial of Service Vulnerability cisco-sa-20160914-crs

Source: https://www.us-cert.gov/ncas/current-activity/2016/09/15/Cisco-Releases-Security-Updates

The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

SOURCE: https://www.us-cert.gov/ncas/alerts/TA16-250A

Systems Affected

Network Infrastructure Devices
 

Overview

The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise.
To address threats to network infrastructure devices, this Alert provides information on recent vectors of attack that advanced persistent threat (APT) actors are targeting, along with prevention and mitigation recommendations.
 

Description

Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network, but as threats change, so must security strategies. Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions; organizations must also be able to contain the impact/losses within the internal network and infrastructure.
For several years now, vulnerable network devices have been the attack-vector of choice and one of the most effective techniques for sophisticated hackers and advanced threat actors. In this environment, there has never been a greater need to improve network infrastructure security. Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished. Malicious cyber actors take advantage of this fact and often target network devices. Once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. For this reason, administrators need to ensure proper configuration and control of network devices.

Proliferation of Threats to Information Systems

SYNful Knock

In September 2015, an attack known as SYNful Knock was disclosed. SYNful Knock silently changes a router’s operating system image, thus allowing attackers to gain a foothold on a victim’s network. The malware can be customized and updated once embedded. When the modified malicious image is uploaded, it provides a backdoor into the victim’s network. Using a crafted TCP SYN packet, a communication channel is established between the compromised device and the malicious command and control (C2) server. The impact of this infection to a network or device is severe and most likely indicates that there may be additional backdoors or compromised devices on the network. This foothold gives an attacker the ability to maneuver and infect other hosts and access sensitive data.
The initial infection vector does not leverage a zero-day vulnerability. Attackers either use the default credentials to log into the device or obtain weak credentials from other insecure devices or communications. The implant resides within a modified IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. Any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after the device reboots. However, these devices are rarely or never rebooted.
To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attacker examines the functionality of the router and determines functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment.
The attacker can utilize the secret backdoor password in three different authentication scenarios. In these scenarios the implant first checks to see if the user input is the backdoor password. If so, access is granted. Otherwise, the implanted code will forward the credentials for normal verification of potentially valid credentials. This generally raises the least amount of suspicion. Cisco has provided an alert on this attack vector. For more information, see the Cisco SYNful Knock Security Advisory (link is external).
Other attacks against network infrastructure devices have also been reported, including more complicated persistent malware that silently changes the firmware on the device that is used to load the operating system so that the malware can inject code into the running operating system. For more information, please see Cisco's description of the evolution of attacks on Cisco IOS devices (link is external).

Cisco Adaptive Security Appliance (ASA)

A Cisco ASA device is a network device that provides firewall and Virtual Private Network (VPN) functionality. These devices are often deployed at the edge of a network to protect a site’s network infrastructure, and to give remote users access to protected local resources.
In June 2016, NCCIC received several reports of compromised Cisco ASA devices that were modified in an unauthorized way. The ASA devices directed users to a location where malicious actors tried to socially engineer the users into divulging their credentials.
It is suspected that malicious actors leveraged CVE-2014-3393 to inject malicious code into the affected devices. The malicious actor would then be able to modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration. Refer to the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software (link is external)for more information and for remediation details.
In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco released an update to address a newly disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution vulnerability (CVE-2016-6366). In addition, one exploit tool targeted a previously patched Cisco vulnerability (CVE-2016-6367). Although Cisco provided patches (link is external) to fix this Cisco ASA command-line interface (CLI) remote code execution vulnerability in 2011, devices that remain unpatched are still vulnerable to the described attack. Attackers may target vulnerabilities for months or even years after patches become available.

Impact

If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data.
Intruders with infrastructure privilege and access can impede productivity and severely hinder re-establishing network connectivity. Even if other compromised devices are detected, tracking back to a compromised infrastructure device is often difficult.
Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts.
 

Solution

1.    Segregate Networks and Functions

Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.

Physical Separation of Sensitive Information

Local Area Network (LAN) segments are separated by traditional network devices such as routers. Routers are placed between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. These boundaries can be used to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.

Recommendations:

• Implement Principles of Least Privilege and need-to-know when designing network segments.
• Separate sensitive information and security requirements into network segments.
• Apply security recommendations and secure configurations to all network segments and network layers.

Virtual Separation of Sensitive Information        

As technologies change, new strategies are developed to improve IT efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. The same physical segmentation design principles apply to virtual segmentation but no additional hardware is required. Existing technologies can be used to prevent an intruder from breaching other internal network segments.

Recommendations:

• Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.
• Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.
• Use VPNs to securely extend a host/network by tunneling through public or private networks.

2.    Limit Unnecessary Lateral Communications

Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities, and can allow a network intruder to easily spread to multiple systems. An intruder can establish an effective “beach head” within the network, and then spread to create backdoors into the network to maintain persistence and make it difficult for defenders to contain and eradicate.

Recommendations:

• Restrict communications using host-based firewall rules to deny the flow of packets from other hosts in the network. The firewall rules can be created to filter on a host device, user, program, or IP address to limit access from services and systems.
• Implement a VLAN Access Control List (VACL), a filter that controls access to/from VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.
• Logically segregate the network using physical or virtual separation allowing network administrators to isolate critical devices onto network segments.
   

3.    Harden Network Devices

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of resources to administrators on how to harden network devices. These resources include benchmarks and best practices. These recommendations should be implemented in conjunction with laws, regulations, site security policies, standards, and industry best practices. These guides provide a baseline security configuration for the enterprise that protects the integrity of network infrastructure devices. This guidance supplements the network security best practices supplied by vendors.

Recommendations:

• Disable unencrypted remote admin protocols used to manage network infrastructure (e.g., Telnet, FTP).
• Disable unnecessary services (e.g. discovery protocols, source routing, HTTP, SNMP, BOOTP).
• Use SNMPv3 (or subsequent version) but do not use SNMP community strings.
• Secure access to the console, auxiliary, and VTY lines.
• Implement robust password policies and use the strongest password encryption available.
• Protect router/switch by controlling access lists for remote administration.
• Restrict physical access to routers/switches.
• Backup configurations and store offline. Use the latest version of the network device operating system and update with all patches.
• Periodically test security configurations against security requirements.
• Protect configuration files with encryption and/or access controls when sending them electronically and when they are stored and backed up.
   

4.    Secure Access to Infrastructure Devices

Administrative privileges on infrastructure devices allow access to resources that are normally unavailable to most users and permit the execution of actions that would otherwise be restricted. When administrator privileges are improperly authorized, granted widely, and/or not closely audited, intruders can exploit them. These compromised privileges can enable adversaries to traverse a network, expanding access and potentially allowing full control of the infrastructure backbone. Unauthorized infrastructure access can be mitigated by properly implementing secure access policies and procedures.

Recommendations:

• Implement Multi-Factor Authentication – Authentication is a process to validate a user’s identity. Weak authentication processes are commonly exploited by attackers. Multi-factor authentication uses at least two identity components to authenticate a user’s identity. Identity components include something the user knows (e.g., password); an object the user has possession of (e.g., token); and a trait unique to the specific person (e.g., biometric).
• Manage Privileged Access – Use an authorization server to store access information for network device management. This type of server will enable network administrators to assign different privilege levels to users based on the principle of least privilege. When a user tries to execute an unauthorized command, it will be rejected. To increase the strength and robustness of user authentication, implement a hard token authentication server in addition to the AAA server, if possible. Multi-factor authentication increases the difficulty for intruders to steal and reuse credentials to gain access to network devices.
• Manage Administrative Credentials – Although multi-factor authentication is highly recommended and a best practice, systems that cannot meet this requirement can at least improve their security level by changing default passwords and enforcing complex password policies. Network accounts must contain complex passwords of at least 14 characters from multiple character domains including lowercase, uppercase, numbers, and special characters. Enforce password expiration and reuse policies. If passwords are stored for emergency access, keep these in a protected off-network location, such as a safe.
   

5.    Perform Out-of-Band Management

Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can implement corrective actions without allowing the adversary who may have already compromised a portion of the network to observe these changes.
OoB management can be implemented physically or virtually, or through a hybrid of the two. Building additional physical network infrastructure is the most secure option for the network managers, although it can be very expensive to implement and maintain. Virtual implementation is less costly, but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option.

Recommendations:

• Segregate standard network traffic from management traffic.
• Enforce that management traffic on devices only comes from the OoB.
• Apply encryption to all management channels.
• Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.
• Manage all administrative functions from a dedicated host (fully patched) over a secure channel, preferably on the OoB.
• Harden network management devices by testing patches, turning off unnecessary services on routers and switches, and enforcing strong password policies. Monitor the network and review logs Implement access controls that only permit required administrative or management services (SNMP, NTP SSH, FTP, TFTP).
   

6.    Validate Integrity of Hardware and Software

Products purchased through unauthorized channels are often known as “counterfeit,” “secondary,” or “grey market” devices. There have been numerous reports in the press regarding grey market hardware and software being introduced into the marketplace. Grey market products have not been thoroughly tested to meet quality standards and can introduce risks to the network. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of the network environment. Products purchased from the secondary market run the risk of having the supply chain breached, which can result in the introduction of counterfeit, stolen, or second-hand devices. This could affect network performance and compromise the confidentiality, integrity, or availability of network assets. Furthermore, breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on the equipment. In addition, unauthorized or malicious software can be loaded onto a device after it is in operational use, so integrity checking of software should be done on a regular basis.

Recommendations:

• Maintain strict control of the supply chain; purchase only from authorized resellers.
• Require resellers to implement a supply chain integrity check to validate hardware and software authenticity.
• Inspect the device for signs of tampering.
• Validate serial numbers from multiple sources.
• Download software, updates, patches, and upgrades from validated sources.
• Perform hash verification and compare values against the vendor’s database to detect unauthorized modification to the firmware.
• Monitor and log devices, verifying network configurations of devices on a regular schedule.
• Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.

Shadow Broker Exploits

Vendor	CVE	Exploit Name	Vulnerability
Fortinet	CVE-2016-6909	EGREGIOUSBLUNDER	Authentication cookie overflow
WatchGuard	CVE-2016-7089	ESCALATEPLOWMAN	Command line injection via ipconfig
Cisco	CVE-2016-6366	EXTRABACON	SNMP remote code execution
Cisco	CVE-2016-6367	EPICBANANA	Command line injection remote code execution
Cisco	N/A	BENIGNCERTAIN/PIXPOCKET	Information/memory leak
TOPSEC	N/A	ELIGIBLEBACHELOR	Attack vector unknown, but has an XML-like payload beginning with <?tos length="001e.%8.8x"?
TOPSEC	N/A	ELIGIBLEBOMBSHELL	HTTP cookie command injection
TOPSEC	N/A	ELIGIBLECANDIDATE	HTTP cookie command injection
TOPSEC	N/A	ELIGIBLECONTESTANT	HTTP POST parameter injection

Lenovo Accelerator Application Insecure Update Mechanism

Don't believe the rumor, this does not apply to ThinkPad or ThinkStation laptops.

Source: https://support.lenovo.com/us/en/product_security/len_6718

A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities. The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available.
The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with the Windows 10 operating system.




Lenovo Security Advisory: LEN-6718



Potential Impact: Remote code execution by an attacker with local network access


Severity: High


Scope of Impact: Lenovo products described below


Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo recommends customers uninstall Lenovo Accelerator Application by going to the “Apps and Features” application in Windows 10, selecting Lenovo Accelerator Application and clicking on “Uninstall”.


Product Impact:
The Lenovo Accelerator Application was installed on some consumer notebook and desktop systems preloaded with the Windows 10 operating system.

MySQL Users - Update Your Servers Now

Source: Oracle


Oracle kind-a 'hid' the fact that some major security vulnerabilities were found in their MySQL product by listing the effected versions way at the bottom of their Critical Patch Advisory for April 2016.

From Oracle:

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 136 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

Please note that on March 23, 2016, Oracle released Security Alert for Java SE for CVE-2016-0636. Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced for CVE-2016-0636.

Please also note that the vulnerabilities in this Critical Patch Update are scored using versions 3.0 and 2.0 of Common Vulnerability Scoring Standard (CVSS). Future Critical Patch Updates and Security Alerts will be scored using CVSS version 3.0 only.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.

Urgent - Uninstall Quick Time

REF: US-CERT

Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced

   

Systems Affected

Microsoft Windows with Apple QuickTime installed

Overview

According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1] (link is external)

Description

All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1] (link is external)
The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] (link is external) [3] (link is external)

Impact

Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.

Solution

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime (link is external) page. [4]

References

• [1] Trend Micro - Urgent Call to Action: Uninstall QuickTime for Windows Today (link is external)
• [2] Zero Day Initiative Advisory ZDI 16-241: (0Day) Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerabilit (link is external)
• [3] Zero Day Initiative Advisory ZDI 16-242: (0Day) Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulner (link is external)
• [4] Apple - Uninstall QuickTime 7 for Windows

FTC Alert: Tech-Support Scams

Source: US-CERT

The Federal Trade Commission (FTC) has released an alert on tech-support themed telephone scams. In these schemes, fraudulent callers claim to be from legitimate technical support organizations and offer to fix computer problems that don't exist. Users should not give control of their computers to anyone who calls offering to "fix" a problem.

By: Andrew Johnson 
Division of Consumer and Business Education, FTC

There’s a new twist on tech-support scams — you know, the one where crooks try to get access to your computer or sensitive information by offering to “fix” a computer problem that doesn’t actually exist. Lately, we’ve heard reports that people are getting calls from someone claiming to be from the Global Privacy Enforcement Network. Their claim? That your email account has been hacked and is sending fraudulent messages. They say they’ll have to take legal action against you, unless you let them fix the problem right away.

If you raise questions, the scammers turn up the pressure – but they’ve also given out phone numbers of actual Federal Trade Commission staff (who have been surprised to get calls). The scammers also have sent people to the actual website for the Global Privacy Enforcement Network. (It’s a real thing: it’s an organization that helps governments work together on cross-border privacy cooperation.)

Here are few things to remember if you get any kind of tech-support call, no matter who they say they are:

• Don’t give control of your computer to anyone who calls you offering to “fix” your computer.
• Never give out or confirm your financial or sensitive information to anyone who contacts you.
• Getting pressure to act immediately? That’s a sure sign of a scam. Hang up.
• If you have concerns, contact your security software company directly. Use contact information you know is right, not what the caller gives you.

Ransomware and Recent Variants

Source: US_CERT

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:

• “Your computer has been infected with a virus. Click here to resolve the issue.”
• “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
• “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.


This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.


In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files.


Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised, uploaded Ransomware-Samas files were used to infect the organization’s networks.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.


The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

• temporary or permanent loss of sensitive or proprietary information,
• disruption to regular operations,
• financial losses incurred to restore systems and files, and
• potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

• Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
• Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
• Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
• Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
• Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
• Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
• Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.

Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center.

References

• Kaspersky Lab, Kaspersky Lab detects mobile Trojan Svpeng: Financial malware with ransomware capabilities now targeting U.S. (link is external)
• Sophos / Naked Security, What’s next for ransomware? CryptoWall picks up where CryptoLocker left off (link is external)
• Symantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000 in One Month (link is external)
• Symantec, Cryptolocker: A Thriving Menace (link is external)
• Symantec, Cryptolocker Q&A: Menace of the Year (link is external)
• Symantec, International Takedown Wounds Gameover Zeus Cybercrime Network (link is external)
• Sophos / Naked Security, “Locky” ransomware – what you need to know (link is external)
• McAfee Labs Threat Advisory: Ransomware-Locky. March 9, 2016 (link is external)
• SamSam: The Doctor Will See You, After He Pays The Ransom

Cisco Cable Modem with Digital Voice Remote Code Execution Vulnerability

Source: Cisco

A vulnerability in the web server used in the Cisco Cable Modem with Digital Voice Model DPC2203 could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.

The vulnerability is due to improper input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.

Cisco has released software updates to its service provider customers that address the vulnerability described in this advisory. Prior to contacting Cisco TAC, customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix that addresses this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160309-cmre

Affected Products

• Vulnerable Products

  The following Cisco product are vulnerable:
  

  • Cisco Cable Modem with Digital Voice Model DPC2203
  • Cisco Cable Modem with Digital Voice Model EPC2203

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.
  
  

Workarounds

• There are no workarounds that address this vulnerability.

Fixed Software

• Cisco has released software updates to its service provider customers that address the vulnerability described in this advisory. Prior to contacting Cisco TAC, customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix that addresses this vulnerability.
  
  By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
  
  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
  
  When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  Customers Without Service Contracts
  
  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
  http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
  
  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.