July 2012 - Posts
Microsoft has announced a replacement of Hotmail as noted below, re-branding it to use the Outlook user interface.
Microsoft HOTMAIL email service to be replaced with special verison of OUTLOOK
http://www.marketwatch.com/story/microsoft-replacing-hotmail-with-outlook-2012-07-31
http://www.computerworld.com/s/article/9229828/Microsoft_reboots_Hotmail_to_build_consumer_destination_says_analyst
QUOTE: SAN FRANCISCO (MarketWatch) — Microsoft Corp. is replacing Hotmail, its Web-based consumer e-mail system, with an expanded version of Outlook, the system widely used by businesses. Microsoft said it is making Outlook.com available for preview on Tuesday, touting an upgraded Web-based system compatible with mobile devices and social networking. In addition to a desktop application and a service for businesses, we’re offering Outlook as a personal email service – Outlook.com,” a company blog post said. Hotmail was a pioneer in Web-based e-mail systems which allowed users to access e-mail accounts independent of their workplace or their Internet service providers.
NEW OUTLOOK PREVIEW site for existing HOTMAIL USERS
http://www.outlook.com
McAfee Labs, Trend, and other security firms share an awareness of scams and malware attacks using the London Olympics as bait for users to disclose sensitive information or infect their computers with malware.
London Olympics 2012 - Scams and Malware attacks circulating
http://blogs.mcafee.com/mcafee-labs/scams-surround-london-olympics
http://blog.trendmicro.com/more-london-olympics-related-threats/
http://blog.trendmicro.com/relay-race-to-ruin-cybercrime-in-the-olympics/
http://blog.trendmicro.com/illegal-tv-cards-allowing-free-olympic-viewing-sold-online/
http://blog.trendmicro.com/bogus-london-olympics-2012-ticket-site-spotted/
http://blog.trendmicro.com/countdown-to-the-olympics-are-you-safe/
QUOTE: These mails inform the recipients that they have won a substantial amount of money. After contacting the lottery manager, the victims of these rip-offs will be asked to pay “processing fees” or “transfer charges” so that the winnings can be distributed. Do you imagine these lottery payments will ever be received? In some cases, the organizers ask for a copy of the winner’s passport, national ID, or driver’s license. With that personal information compromised, future identity theft activities are guaranteed.
Corporate security teams should evaluate and address the risks associated with any current usage of this protocol. The analysis of the protocol, proof-of-concept cracking approach, and special PICO supercomputer used, make this a fascinating read for security professionals. It requires a sophisticated setup and some time to reconstruct the plain text versions of passwords from the NT Hash for the 3 DES keys.
MS-CHAPv2 Protocol compromised with 100% success
https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
QUOTE: Moxie Marlinspike and David Hulton gave a talk at Defcon 20 on a presentation on cracking MS-CHAPv2 with 100% success rate. This protocol is still very much in use with PPTP VPNs, and WPA2 Enterprise environments for authentication. Moxie's recommendations:
1. All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.
2. Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.
Knowing that MS-CHAPv2 can now be cracked, what alternatives are you considering to secure your now insecure communications? The two alternatives suggested by Moxie are "OpenVPN configuration, or IPSEC in certificate rather than PSK mode."
NIST standards provide helpful guidance in the corporate world for development of policies, standards, and procedures.
NIST Updates Computer Security Guides
http://www.informationweek.com/news/government/security/240004585
QUOTE: The National Institute of Standards and Technology has released updated guidance on how federal agencies and businesses can deal with network attacks and malware. The advice comes in the form of two publications that have been revised to reflect the latest in security best practices: NIST's Guide to Intrusion Detection and Prevention Systems and Guide to Malware Incident Prevention and Handling for Desktop and Laptops. The agency is seeking public comments on the draft publications before releasing them in final form.
McAfee has a special series of articles related to security for Windows 8 and it's new application environment. While the operating system itself is very secure, user actions and application security controls present key risks as in other versions of Windows. Below are the first three articles:
Windows 8 - McAfee Labs evaluates security
http://blogs.mcafee.com/mcafee-labs/windows-8-metro-brings-new-security-risks
http://blogs.mcafee.com/mcafee-labs/metro-interface-improves-windows-8-while-increasing-some-risks
http://blogs.mcafee.com/mcafee-labs/stronger-windows-8-still-vulnerable-through-apps-users
QUOTE: As with every version of Windows, we see various kernel improvements. With these changes to the OS, Microsoft has made a safer environment for users. But this environment is still vulnerable to the following security risks:
* Socially engineered emails or websites with executable attachments
* Vulnerabilities and exploits targeting Windows applications
* Mass-distributed desktop malware
Most of the malware that we see today does not go after the BIOS. Some go after the boot sequence and most go after the post-boot injection points such as start-up folders, AutoRun registry keys, and autoload DLL/component injection points. The secure boot architecture handles the preboot sequence and makes a good stab at boot driver validation, but there is some distance to go to guard all the injection points used by most malware. Future posts will include more analysis of Windows 8 and the state of its security. We will also explore implications for users and discuss best security practices for operating systems and applications.
Security researchers at the Black Hat security conference report low-level security improvements seen with Windows 8 that will enhance protection
Windows 8 Much More Secure than Windows 7
http://securitywatch.pcmag.com/none/300781-windows-8-much-more-secure-than-windows-7
QUOTE: Researchers Chris Valasek (Senior Security Researcher at Coverity) and Tarjei Mandt (senior vulnerability researcher at Azimuth Security) spend their days seeking ways to compromise security in Windows. They're good guys; if they find a problem they report it, rather than exploiting it for illicit gain. At the Black Hat conference they reported on their analysis of new low-level security features in Windows 8.
The precise details of what they discovered were barely within the realm of my comprehension. Apparently many doubly-linked lists within Windows 8 are now protected by "pool cookies." To avoid exploits that involve forcing arbitrary code or data into places it doesn't belong, Windows 8 randomizes locations for memory allocation and adds "guard pages" as needed. That sort of thing. In between slides filled with code and intense details, Valasek and Mandt displayed a couple that anybody could understand. The column for Windows Vista was all red, meaning not secure. Windows 7 was close, with just a few green checkmarks. And of course Windows 8 displayed a column of solid green checkmarks. Expert or not, we know that green is good.
Black Hat security researchers warn of dangers associated with non-Microsoft based gadget controls in Windows 7 that could be used maliciously.
Microsoft Windows 7 - Disable third party Gadgets
http://securitywatch.pcmag.com/none/300819-kill-your-gadgets
QUOTE: Do you have any gadgets on your Windows 7 desktop, other than the ones that came with Windows? Kill them now! That's the message I took away from a Black Hat talk by researchers Mickey Shkatov and Toby Kohlenberg. The two took great pains to clarify that the talk represents their own opinions only, wholly unconnected with any employer past or present. Kohlenberg reported that he was initially skeptical. Gadgets are going away, so where's the value in studying them. "I told Mickey, if I write this code, you owe me." However, he changed his opinion after some study. Sure, Windows gadgets are going away, but the programming style and frameworks used to make gadgets exist in other areas too, most notably smartphone apps.
Why kill your gadgets? Simply put, they are an egregious security risk. A gadget can do anything a normal application can do, but without many of the protections and limitations applied to programs. "People don't perceive gadgets as applications, but they are," said Kohlenberg. "They can do anything any other app can do, and you can do things from a gadget that would immediately be flagged if you did it from a binary." He went on to demonstrate a simple gadget that brings up gmail and sends a message to all of your contacts, with the gadget itself as an attachment. Yes, a self-replicating gadget! Sure, this won't work if you correctly log out of gmail every time you use it. Do you?
New version of Safari has been released as noted below
Safari 6 - New browser version emerges
http://www.apple.com/safari/
http://support.apple.com/kb/HT5364
QUOTE: The new advanced features in Safari make it an even better place to explore the web. Safari searches even smarter so you’ll find web pages faster. It shows you all your open tabs in a great new way. Right from Safari, you can tweet web pages, post them to Facebook, or share them via Mail or Messages.
A new major trade group has been formed to provide a voice for key Internet economic interests to legislators
The Internet Association - PR accouncement
http://internetassociation.org/PR-InternetAssociation-120725.pdf
QUOTE: WASHINGTON – The Internet Association, the nation’s first trade association representing the interests of the Internet economy and America’s leading Internet companies, today named Michael Beckerman as its first President and Chief Executive Officer. The newly-formed Internet Association is comprised of some of the world’s most visible Internet companies and will be headquartered in Washington D.C. Beckerman will lead the Internet Association’s efforts to advance public policy solutions that strengthen and protect an open, innovative and free Internet.
Facebook and Other Tech Giants Form Trade Association to be the ‘Voice’ of the Internet
http://facecrooks.com/Internet-Safety-Privacy/facebook-and-other-tech-giants-form-trade-association-to-be-the-voice-of-the-internet.html
Scammers use a number of tactics to capture sensitive information, including free offers. Facecrooks security warns users with a tactic of "fear" to take action or they might lose privileges if they do not respond. As one must login to respond to this new phishing scheme, it can result in security compromise of one's Facebook account. It is important to remain cautious and only respond to legitimate requests.
Warning: We received from other users that your account has violated a policy that is considered to disturb or offend other users.
http://facecrooks.com/Scam-Watch/warning-we-received-reports-from-other-users-that-your-account-has-violated-a-policy-facebook-scam.html
Scam Type: Phishing
Trending: July 2012
Why it’s a Scam: Clicking on the link in the scam post will direct you to the following URL. This is not a legitimate Facebook domain, but a casual user could be easily fooled by it. If you click continue you will no doubt be presented with an attempt to obtain your Facebook login credentials.
Facecrooks security provides an awareness of fake "Facebook Offer" pages designed to collect email and other senstive information. These ressemble legitmate advertising offers and the article shares ways to better affirm whether they are valid or not.
How Scammers Can Use a Bogus ‘Facebook Offer’ to Obtain Your Email Address
http://facecrooks.com/Scam-Watch/how-scammers-can-use-a-bogus-facebook-offer-to-obtain-your-email-address.html
QUOTE: Recently, Facebook introduced ‘Facebook Offers’ for page owners. This allows businesses to create special offers and then post them to their Facebook page. All users have to do is click ‘Get Offer,’ and they will be emailed the details on how to claim it. One thing you should be aware of is that as soon as you click the ‘Get Offer’ link, your name and email address is immediately shared with the Facebook page conducting the offer. Personally, I think it would be better if you received a notification that your information is going to be shared, and then given the option to proceed.
Recently hackers breached security in a number of websites and disclosed a number of passwords. Users continue to pick weak and popular passwords that could compromise their online security. Giving passwords more thought in creating complex ones, plus a good systematic way of remembering them can help improve security, (even as a friend does in writing them down and putting into his wallet). Also, don't use the same password on all websites. Often folks use the same password for Facebook and their email account, and thus discovery of a password to one resource can lead to compromises of other resources.
Password Analysis from recent security breaches
https://isc.sans.edu/diary.html?storyid=13720
QUOTE: Looking at the top 10 passwords and the top 10 base words, we note that some of the worst possible passwords are right there at the top of the list. 123456 and password are always among the first passwords that the bad guys guess because for some reason we haven't trained our users well enough to get them to stop using them.
Top 10 passwords
123456 = 1667 (0.38%)
password = 780 (0.18%)
welcome = 437 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)
Top 10 base words
password = 1374 (0.31%)
welcome = 535 (0.12%)
qwerty = 464 (0.1%)
monkey = 430 (0.1%)
jesus = 429 (0.1%)
love = 421 (0.1%)
money = 407 (0.09%)
freedom = 385 (0.09%)
ninja = 380 (0.09%)
sunshine = 367 (0.08%)
Password length (count ordered)
8 = 119135 (26.9%)
6 = 79629 (17.98%)
9 = 65964 (14.9%)
7 = 65611 (14.82%)
10 = 54760 (12.37%)
12 = 21730 (4.91%)
11 = 21220 (4.79%)
5 = 5325 (1.2%)
4 = 2749 (0.62%)
13 = 2658 (0.6%)
This article notes caution when traveling to not misplace or forget equipment. While there are expenses associated with lost items, the information contained on them could compromise corporate security controls.
Over 8,000 Laptops, Smartphones, Tablets, USB Drives Lost in Airports
http://securitywatch.pcmag.com/none/300014-over-8-000-laptops-smartphones-tablets-usb-drives-lost-in-airports
QUOTE: Traveling this summer? Know where your mobile device is at all times, Credant Technology advises. Travelers left their wireless devices behind at "alarming rates" across the seven airports included in a recent airport survey—Chicago, Denver, San Francisco, Miami, Orlando, Minneapolis-St. Paul, and Charlotte— according to the second annual report from Credant Technologies. Researchers found 8,016 total lost devices in major airports, and security checkpoints were the most common place to misplace mobile devices, according to the report. Restrooms was another common area.
Of the devices misplaced in the airport, 43 percent were laptops and 45 percent were smartphones and tablets, according to the report. The remaining 12 percent were USB drives. Just a little half, or 52 percent, of the devices are returned to their owners, Credant said. If they are not claimed, airports overwhelmingly donated them to charity or sold them at public auctions.
As documented by Facecrooks security, Facebook is warning users with possible multiple accounts in advance. Controls could be more rigidly enforced in the future.
Facebook - New Multiple Accounts Warning
http://facecrooks.com/Internet-Safety-Privacy/warning-our-systems-detected-you-have-multiple-accounts-nothing-to-worry-about-yet.html
QUOTE: Several Facebook users have reported receiving the following warning message from Facebook.
"It looks like you have more than one account on Facebook. Facebook is a community where people use their real identities so you always know who you’re connecting with. Maintaining multiple accounts is a violation of our Terms and could result in all of your accounts being disabled. Please remove this account and help us keep Facebook safe and enjoyable for everyone.”
This warning has been causing quite a stir today! Many users are worried that they will be losing their accounts, and many stated that they don’t have multiple accounts at all. It seemed rather odd that so many were receiving this message all of a sudden, so we reached out to Facebook to see if we could get an explanation. We received the following message from Facebook a short while ago explaining what is going on:
“We are currently testing a system that warns users who have opened multiple accounts, we are not taking any action on these users for the time being so there’s no need for anyone to worry. We are iterating on this system to be more accurate and are only notifying possible violators.”
Microsoft has targeted availability of Windows 8 for the end of October as noted below:
Windows 8 - October 2012 Release Announcement
http://www.thestreet.com/story/11609705/1/microsoft-confirms-windows-8-availability.html
QUOTE: Speaking at Microsoft's Worldwide Partners' Conference in Toronto, Tami Reller, the CFO of Windows and Windows Live, said that consumers can get their hands on the product by the end of October. The software, she explained, will release to manufacturers (RTM) during the first week of August. Microsoft is busily adding flesh to the bones of its Windows 8 strategy. Last week, the software giant confirmed that it will cost users just $39.99 for Windows 8 Pro if they upgrade from a previous version of Windows.
Windows 8 Team Blog - October 2012 Release
http://windowsteamblog.com/windows/b/bloggingwindows/archive/2012/07/09/upcoming-windows-milestones-shared-with-partners-at-wpc.aspx
The media is sharing a need for users to ensure their computers are not infected with the DNSChanger malware agent. However, this has been overly sensationalized and exaggerated, and some folks are panicking. The FBI will be turning off Internet services for computers infected by the DNSChanger malware which impacts a very small percentage of total Internet users. The ISC publishes an excellent and realistic write-up on this scope of possible infections.
DNSChanger Internet Client Shutdown - Most users will not be impacted
https://isc.sans.edu/diary/The+FBI+will+turn+off+the+Internet+on+Monday+or+not+/13630
QUOTE: This new item led to a flood of news reports, which IMHO blow the entire affair out of proportion (the headline to this diary entry pretty much reflects a discussion I had today with a non technical person responding to one of these articles). In short: Don't worry. There are estimates of 250,000 infected systems based on data from the DNS changer working group. There are about 2,000,000,000 internet users. So about 0.01% of internet users are infected. In other words: Very few. People who have disregarded warning banners, phone calls from ISPs, AV warnings, and other notification attempts. They probably should be disconnected from the Internet. Lastly: Tell people to go to dcwg.org (short for DNS Changer Working Group.org). It has a little test to tell you if you are affected or not. It also got a lot of first hand information about this malware.
We are still recovering in our region one week later from the recent Derecho event.
Five great DR tips are shared in this related article to facilitate future planning:
Disaster Recovery - Five key tips for a successful plan
http://washingtontechnology.com/articles/2012/07/02/recovery-tips-for-storms.aspx
QUOTE: A five-point plan for strategic disaster recovery can help you capture everything that you need to consider quickly and efficiently.
1. Communications - An effective disaster recovery plan is one that is understood and does not require a team of experts to interpret.
2. Business Process - A proficient disaster recovery plan anticipates different levels of risks inside and outside the enterprise and the inter-dependencies between people, technology, and external conditions beyond normal operational control.
3. Technology Risks - Remember that the restoring data only works if your original backup is actually validated and constantly checked for errors.
4. People Relocation - Be prepared to enable your staff to physically relocate quickly and efficiently to an alternate facility to ramp up operations in times of emergency, and account for external conditions such as weather, transportation, and power outages.
5. Keep It Simple - Finally, remember that if your plan is longer than several pages, it is likely to be misinterpreted by someone, hence, making your data center vulnerable to information
On June 29, 2012, one of the top storms of a lifetime roared through our area and even a week later there are numerous power outages. Our power company noted that the 90 high power transmission lines are not something that is easily fixed with a bucket truck. The article below notes that this "storm of the century" is a wake up call to brush the dust off our DR and Contingency planning manuals and always be prepared for the worse.
Storms of June 29th 2012 in Mid Atlantic region of the USA
https://isc.sans.edu/diary.html?storyid=13600
http://en.wikipedia.org/wiki/June_2012_North_American_derecho
QUOTE: On June 29th 2012 a severe windstorm reffered to as a derecho tore through the Midwest and MidAtlantic regions of the US. Over 1,750,000 homes and businesses were left without electricity. Datacenters supporting Amazon's AWS, Netflix and other large organizations were taken offline, and there were several deaths reported. I work for a company with a NOC and primary data-center in the path of the storm. A number of events took place. With day time temperatures near 108F and the windstorm coming through the battery on the backup generator powering the data-center cracked and was not able to start the generator.
So on to old lessons learned – geographic redundancy is desirable, document everything in simple accessible procedures, some physical servers may be desirable, such as DHCP, and AD. Keys services such as RADIUS must be available from multiple locations. Securely documenting addresses and passwords in an offline reachable manner is essential as well as documenting system startup procedures. Some new to me lessons learned are a little more esoteric. Complacency is a huge risk to an organization. Our company is undergoing a reorganization that is creating a lot of complacent and lackadaisical attitudes. It is hard to fight that.
Apple Mac users should be careful with these new targeted and sophisticated attacks
New OS X trojan backdoor MaControl variant reported
https://isc.sans.edu/diary.html?storyid=13612
http://www.kaspersky.com/about/news/virus/2012/New_Mac_OS_X_Backdoor_Being_Used_for_an_Advanced_Persistent_Threat_Campaign
http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks
QUOTE: Kaspersky has reported that a new previously undetected variant of the MaControl backdoor is being used in the wild. The malware arrived as an email attachment, and if installed connect to a C&C server. More information on the malware, its behaviour, and the attack campaign is available from Kaspersky, who discovered this variant.
Please be careful as several scams are actively circulating. When it seems too good to be true, it always is.
Facebook - $100 Starbuck scam circulating
http://facecrooks.com/Scam-Watch/receive-100-starbucks-gift-card-for-free-official-facebook-scam.html
Scam Type: Bogus Offer, Fake Event, Survey Scam
Trending: June 2012
Why it’s a Scam: The scam is spreading via Facebook Event invitations. If you notice the directions shown above, victims of this scam think they will receive more vouchers based on the number of friends they invite. Step 3 requires users to click on a blogspot URL. This should be a red flag. For one thing, why would Starbucks use Blogspot to run a promotion, and you should also be aware of the fact that a lot of scams are hosted on Blogspot as well. Here we see a very polished and nice Starbucks graphic, but don’t let the good looks fool you.
More Posts
Next page »