November 2011 - Posts
Trend Micro shares benefits and considerations for this new web standard in a 3 part series that I found to be informative ... The final part was issued today
HTML5 Security - The Good, Bad, and Ugly
http://blog.trendmicro.com/html5-thegood
http://blog.trendmicro.com/html5-the-bad
http://blog.trendmicro.com/html5-the-ugly
QUOTE: Welcome back to the final part of our miniseries on HTML5 and the security issues surrounding it. Today, we are going to look at what, in my opinion, is the scariest security concern HTML5 introduces by a long margin: BITB (Botnets In The Browser)
Trend Micro shares two key links related to HTML version 5 reflecting the latest web based standards
HTML5 - Benefits of this new web standard
http://blog.trendmicro.com/html5-thegood/
QUOTE: HTML5 is the fifth revision of the language that makes the web work, and this Wednesday we will be releasing a paper detailing some of the new attacks that are made possible by this technology. HTML5 (and its associated APIs) is not an upgrade like you may be familiar with when it comes to software – it’s actually a whole lot of individual features, each with differing browser support. There is a good Wikipedia article that shows which features are currently implemented. For me there are very many fantastic features in HTML5, but five of them really stand out – and I think these will really change how we interact with the web.
HTML5 - Considerations of this new web standard
http://blog.trendmicro.com/html5-the-bad/
QUOTE: In today’s post, we will look at how some of the features of HTML5 can be misused by attackers. This post is not meant to be an exhaustive list, but if you are interested in more details we will be releasing an in-depth paper on HTML5 Attacks tomorrow
A new version of Zeus with a Christmas theme has emerged
Zeus - New version with Christmas 2011 theme
http://blog.trendmicro.com/merry-christmas-zeus/
http://blog.trendmicro.com/zeus-2-0-8-9-and-the-ghost-panel
QUOTE: This morning, I came across an entertaining Christmas-themed ZeuS Web panel while monitoring online forums. I investigated the contents of the web panel package, which turned out to be Ghost Panel with a modified skin. The Ghost Panel is an altered version of the last Zeus Web Panel (version 2.0.8.9) before the crimeware’s development was halted by its original author, Monstr/Slavik. The Ghost Panel was a craft of another hacker with the handle FreeZS, and was primarily created to become more resilient to AV monitoring. While professional criminal parties capitalize on ZeuS by improving the bot’s functionalities, this reminds us that leaked Zeus versions are still being utilized by petty criminals who continue to contribute to the number of ZeuS attacks that we are facing today.
Please be careful with all email alerts as a new UPS Undeliverable Phishing Scam has been circulating during November
UPS Undeliverable Phishing Scam - NOV 2011 version
http://securitywatch.pcmag.com/none/291069-ups-phishing-scam-targets-cyber-monday-shoppers
QUOTE: As soon as you hit "confirm purchase," the anticipation begins: when will your package arrive? Preying on the emtionally charged experience, hackers know many of you will throw caution to the wind and click into an email that says “UPS package not delivered.” This latest email scam has been mutating and progressing since early November, according to antispam vendor Cloudmark, with reports spiking over Thanksgiving weekend.
Please be careful of any unsual AV warnings or product offers as new FakeAV attacks continue to circulate:
AV Protection 2011 - New Fake AV product circulating
http://sunbeltblog.blogspot.com/2011/11/patrick-our-resident-rogue-av-expert.html
http://malwareprotectioncenter.com/2011/11/18/av-protection-2011-rogue-of-the-fakescanti-family/
QUOTE: AV Protection 2011 is a rogue of the FakeScanti Family, that uses deceptive tactics, fake spam email alerts, and results of fake scans showing the computer being infected, and also the blocking of all applications when trying to run them to scare the user into buying the rogue to clean the fake infections shown.
Please be careful of spammed news alerts, any links presented, and free screensaver or other offers.
Facebook - New Worm circulating in wild
http://sunbeltblog.blogspot.com/2011/11/new-facebook-worm-in-wild.html
QUOTE: Our friends at CSIS, a Danish security company, has spotted a worm spreading within the Facebook platform. In a recent news article penned by Peter Kruse, the worm is said to be "a classic" one in terms of how it infects Internet users: uses stolen credentials to log in to Facebook accounts and then spam contacts. The message is said to contain a link to a file purporting to be an image—Screenshot of the file shows it has a .JPG extension—but it's actually a malicious screensaver. Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems.
On the largest e-commerce day of the year, individuals should remain cautious for spammed email, Facebook, or phishing attacks
Criminals sabotaging Cyber Monday, security experts warn
http://www.computerworld.com/s/article/9222209/Criminals_sabotaging_Cyber_Monday_security_experts_warn
QUOTE: Security experts today warned consumers of a rapidly mutating spam campaign using bogus messages from United Parcel Service (UPS) claiming that a package could not be delivered. The spam run, which actually began earlier this month, is just one way that security researchers believe criminals will exploit the holiday season online buying spree.
The Metro UI supports mobile technology well and many users might prefer this for the desktop also. In case the classic start menu is needed, below is an early workaround: An option for the classic approach might be beneficial for corporate users in a future build
WINDOWS 8: Navigating the Start Menu
http://www.qa.com/about-qa/blogs/2011/november/windows-8-navigating-the-start-menu/
QUOTE: If you have stumbled across the beta version of Windows 8 you may too be struggling with the new start button, it just takes you from the Metro UI to the Desktop and back. With the Windows 8 client that I am using as the developer preview, the behavior of the start menu is not ideal. The Metro UI is designed for touch screens and all programs are placed on the Metro UI, we loose any sort of ordering that we have with the normal Start Menu > All Programs. In addition access to the search dialogue that is so useful in Windows 7 is lost. Thankfully help is at hand with a simple registry key change, setting RPEnabled to 0.
A recent evaluation by Bit9 is noted below and the actual list can be found in links below
The 12 Most Vulnerable Smartphones
http://securitywatch.pcmag.com/none/290796-the-12-most-vulnerable-smartphones
http://www.bit9.com/orphan-android/
QUOTE: How vulnerable is your smartphone to malware attacks? Android is by far the most targeted mobile operating system, but some popular Android phones made by Samsung, HTC, and Motorola, fare a lot worse than others. Bit9, an enterprise-oriented security vendor, ranked the 12 most vulnerable cell phones (the "dirty dozen") based on how dated its software is out of the box. Android fragmentation is well documented, but your average cell phone user probably doesn’t care if he or she’s on Android 2.3 or Android 2.3.7. Functionally, the versions are similar.
Below are key safety tips from Facecrooks and Trend Micro for the holiday season:
Holiday 2011 - Online Shopping Safety Tips
http://facecrooks.com/Safety-Center/Internet-Safety-Privacy/Online-Shopping-Safety-Tips.html
QUOTE: Black Friday and Cyber Monday are just around the corner. Many shoppers will avoid the mayhem and madness of brick and mortar establishments in favor of online retailers. Online shoppers are a favorite target of cyber criminals. Your credit card details, banking information and personal data are under constant assault from cyber criminals trying to do you harm. The type of attacks seen by Trend Micro include:
* Blackhat SEO attacks – search results for hot items such as gadgets and others can be poisoned to lead users to malicious sites,
* Scams – coming off as online promos, scams trick users into becoming victims of their malicious schemes that can lead to information and financial theft.
* Session hijacking – users who do their shopping while connected to unsecure networks put themselves at risk of this attack, which involves sniffing through networks for certain kinds of information such as account credentials, and using the said information to impersonate the users and execute actions.
Trend Micro Safety tips
http://blog.trendmicro.com/online-shopping-safety-tips-infographic
A new BETA version of MSE is available with limited participation. Good technical skills are usually required to support beta testing in case issues surface.
Microsoft Security Essentials beta registration opens
http://blogs.technet.com/b/mmpc/archive/2011/11/18/microsoft-security-essentials-beta-registration-opens.aspx
QUOTE: The number of users than can participate in the Beta is limited, so sign up today and we will notify you once the Beta is available for download. We anticipate the Microsoft Security Essentials beta to be available to the general public by the end of the year.
New features in the Beta of Microsoft Security Essentials include:
* Enhanced protection through automatic malware remediation - The Beta will clean high-impact malware infections automatically, with no required user interaction.
* Enhanced performance - The Beta includes many performance improvements to make sure your PC performance isn’t negatively impacted.
* Simplified UI - Simplified UI makes Microsoft Security Essentials Beta easier to use.
* New and improved protection engine - The updated engine offers enhanced detection and cleanup capabilities.
This blog is a good resource for highlighting new Facebook attacks
Facecrooks - Facebook Safety Blog
http://facecrooks.com/
Facecrooks - Best Practices in using Facebook
http://facecrooks.com/Safety-Center/Safety-Center.html
Facecrooks - Privacy and Security made simple
http://facecrooks.com/Safety-Center/Facebook-Privacy-and-Security-Made-Simple.html
Please avoid suspicious links like this on Facebook
Facebook - Avoid the 15 Second video challenge
http://blog.eset.com/2011/11/13/facebook-video-scam-15-seconds-dont-watch-it-at-all
QUOTE: One of my Facebook friends drew my attention today to a fast-spreading link. I'm pleased to say that he knew better than to look at it, but I figured it was worth seeing what it was all about. The link comes with this message, according to Facecrooks.com (a good place to check for stuff like this):
98 Percent Of People Cant Watch This Video For More Than 15 Seconds
CLICK LINK TO WATCH VIDEO & SEE HOW LONG YOU CAN LAST!!
Needless to say, clicking the link is not a good idea. It's a survey scam: if you do follow the link, it takes you to a fake Facebook page that looks as if it contains a video, but if you click the "play" button, it loads a "Share" box so that you can irritate all your friends by spamming them with the same message
Below are key resources for improving Hyper-V security
Simple Security Recommendations When Using Hyper-V
http://technet.microsoft.com/en-us/security/hh535714
QUOTE: Microsoft has a few articles on TechNet that outline some of the key aspects of a secure deployment of the Hyper-V virtualization technology, a feature of Windows Server 2008 R2.
Microsoft Hyper-V Security Best Practices
http://technet.microsoft.com/en-us/library/dd283088(WS.10).aspx
-- Use a Server Core installation of Windows Server 2008 for the management operating system.
-- Do not run any applications in the management operating system—run all applications on virtual machines.
-- Use the security level of your virtual machines to determine the security level of your management operating system.
-- Do not give virtual machine administrators permissions on the management operating system.
-- Ensure that virtual machines are fully updated before they are deployed in a production environment.
-- Ensure integration services are installed on virtual machines.
-- Use a dedicated network adapter for the management operating system of the virtualization server.
-- Use BitLocker Drive Encryption to help protect resources.
Additional Recommendations
As Trend Labs notes, the FBI's Operation Ghost Click initiative is so far the largest cybercriminal shutdown in history
FBI Operation Ghost Click - Largest Cybercriminal shutdown in history
http://blog.trendmicro.com/esthost-taken-down-%e2%80%93-biggest-cybercriminal-takedown-in-history/
QUOTE: On November 8, a long-living botnet of more than 4,000,000 bots was taken down by the FBI and Estonian police in cooperation with Trend Micro and a number of other industry partners. In this operation, dubbed “Operation Ghost Click” by the FBI, two data centers in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia. Here is the link to the press release of the FBI.
The botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider. The following links relate to this entry:
Sunbelt security warns of holiday package delivery scams and other threats where PDF malware may be circulating
PDF Malware - Increase for holiday season
http://sunbeltblog.blogspot.com/2011/11/pdf-malware-is-back-in-season.html
QUOTE: Avid readers of the GFI Labs blog can attest that they're no strangers to this kind of attack: one receives an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it's either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer.
Our researchers in the AV Labs have been seeing an uptick of this particular campaign, which pose as a message from the United States Postal Service (USPS) and bears the subject "Package is was not able to be delivered please print out the attached label".
AV-Test noted some limitations in recent tests for Android AV products, which are continuing to improve and handle these new threats. Kaspersky, F-Secure, and Zoner were rated among best current solutions
Report: Most Free Android Antivirus Apps Useless
http://securitywatch.pcmag.com/security-software/290411-report-most-free-android-antivirus-apps-useless
QUOTE: Each product was installed on an Android device containing inactive specimens of over 150 recent Android threats. Researchers ran an on-demand scan and recorded how many threats were detected. Kaspersky and F-Secure detected over half. The best free product, Zoner Antivirus, caught 32 percent. All the rest detected under 10 percent, and some didn't detect any samples at all.
Below are 6 recommendations for protection:
PC Magazine -- Six Ways to Protect Yourself from Duqu
http://securitywatch.pcmag.com/malware/290204-six-ways-to-protect-yourself-from-duqu
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/231902310/five-things-to-do-to-defend-against-duqu.html?itc=edit_stub
QUOTE: Six Ways to Protect Yourself from Duqu
1. Microsoft Hotfix available
2. AntiVirus updates
3. Avoid unknown documents
4. Monitor for infected machines on network
5. Watch Port 443 traffic that's unencrypted
6. Keep an eye out for ~DQ files
Microsoft Hotfix available
http://www.pcmag.com/article2/0,2817,2395861,00.asp
These important security updates should be applied promptly:
Microsoft Security Release - November 2011
http://technet.microsoft.com/en-us/security/bulletin/ms11-nov
http://blogs.technet.com/b/srd/archive/2011/11/08/assessing-the-exploitability-of-ms11-083.aspx
ICS Analysis
http://isc.sans.edu/diary.html?storyid=11971
QUOTE: The vulnerability presents itself in the specific scenario where an attacker can send a large number of specially crafted UDP packets to a random port that does not have a service listening. While processing these network packets it is observed that some used structures are referenced but not dereferenced properly. This unbalanced reference counting could eventually lead to an integer overflow of the reference counter
A sophisticated attack called DNSchanger was successfully shutdown by the FBI.
FBI takes out $14M DNS malware operation
http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911
http://www.networkworld.com/community/blog/fbi-takes-out-14m-dns-malware-operation
http://www.f-secure.com/weblog/archives/00002268.html
QUOTE: US law enforcement today said it had smashed what it called a massive, sophisticated Internet fraud scheme that injected malware in more than four million computers in over 100 countries while generating $14 million in illegitimate income. Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA.
Details of the two-year FBI investigation called Operation Ghost Click were announced today in New York when a federal indictment was unsealed against six Estonian nationals and one Russian national. The six cyber criminals were taken into custody yesterday in Estonia by local authorities, and the U.S. will seek to extradite them. In conjunction with the arrests, U.S. authorities seized computers and rogue DNS servers at various locations.
Beginning in 2007, the cyber thieves used malware known as DNSChanger to infect computers worldwide, the FBI said. DNSChanger redirected unsuspecting users to rogue servers controlled by the cyber thieves, letting them manipulate users' web activity. The defendants also inflicted the following:
* Unwitting customers of the defendants' sham publisher networks were paying for Internet traffic from computer users who had not intended to view or click their ads.
* Users involuntarily routed to Internet ads may well have harbored discontent with those businesses, even though the businesses were blameless.
* And then there is the harm to the users of the hijacked computers. The DNSChanger malware was a virus more akin to an antibiotic-resistant bacterium. It had a built-in defense that blocked anti-virus software updates. And it left infected computers vulnerable to other malware.
More Posts
Next page »