August 2012 - Posts
The following provides DOD guidelines for locking down the Framework 4 environment
http://iase.disa.mil/stigs/app_security/app_services/app_serv.html
QUOTE: The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations (FSO) has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack. DISA FSO is in the process of moving the STIGs towards the use of the NIST Security Content Automation Protocol (S-CAP) in order to be able to “automate” compliance reporting of the STIGs.
Complete list of standards
http://iase.disa.mil/stigs/a-z.html
Germany has some of the strictest privacy laws in the world. Below is a recent development concerning Facebook
http://facecrooks.com/Internet-Safety-Privacy/german-consumer-group-gives-facebook-privacy-ultimatum.html
QUOTE: The Federation of German Consumer Organizations, a German consumer lobbying group, said on Monday that Facebook is giving away users’ information in its new App Center centre without first notifying them. The Federation gave Facebook a one-week ultimatum, until September 4, to comply with Germany’s rigid privacy laws and stop giving away users information to third-party apps or face legal action.
The Germans, having had a few run-ins with security and privacy issues in their past, have some of the strictest privacy laws in Europe, especially when it comes to data and information. However, they are by no means the first country to take a stand against Facebook. Norway and Ireland are also currently investigating the site to see if it violates any laws in their respective countries.
In the wake of the site’s historic public trading, the pressure has been building on Facebook to face up to its own privacy issues and become the responsible company it’s supposed to be. However, the site is all too often slow to respond to complaints and accusations, leading to damaging story after damaging story. Of course, being investigated by several foreign governments at once is never a good thing, either.
Some good basic tips for protecting students entering college this fall:
http://www.securitynewsdaily.com/2174-harden-college-laptop.html
QUOTE: However, before a laptop heads to college, there are steps that parents and students can take to ensure its safety. First, parents should make sure there is anti-virus software installed on the machine, whether it's a PC or a Mac. Often a new computer will come with a free anti-virus trial period, which can be extended for a fee.
It’s also important to make sure that all software on the computer is updated, or has automatic updates turned on. "If you have [a] system updated, but an old application that’s vulnerable, you're hosed," said Andy Willingham, an Internet security expert and blogger in Cincinnati.
Johnson also recommends using the NoScript add-on for the Mozilla Firefox Web browser. This free solution helps block drive-by downloads and generally offers more online security. Another big issue for college kids is to be aware of the information that is shared when they log into social-media sites, Willingham said.
"Just be really careful that you are using different passwords for different sites," he said. That way, online criminals and identity thieves who've gotten ahold of one password can’t steal information from other sites. Willingham also advises students not to access financial sites from public Wi-Fi networks, and to ask their schools if secured networks are available on campus.
"The last thing is to simply be vigilant," Johnson said.
Next month, a new preview version of Firefox should emerge which uses the new Windows 8 UI
http://www.digitaltrends.com/computing/firefox-metro-browser-september/
QUOTE: Mozilla will release a preview of Firefox for Windows 8 in September, complete with Modern UI styling and windowless Flash. Mozilla already announced plans earlier in the year to offer a Modern UI (formerly known as Metro) version of its popular browser, but now new details are beginning to emerge, including a few carefully placed screenshots like the one above.
Brian R. Bondy, a developer working on the project, posted an update to his blog outlining Mozilla’s progress and goals for the fall release. “Work on the Metro style enabled desktop browser has progressed steadily and things are looking really good,” Bondy writes. According to Bondy, a preview version of Firefox will be available first as a beta release, planned for later in the year. The preview will be styled as a “combined classic + metro browser” with classic desktop user interface elements for tabbed browsing and navigation.
More details can be found here:
https://wiki.mozilla.org/Firefox/Windows_8_Integration
Yesterday's patch released was beneficial for active malicious threats that are circulating for the recent zero day attacks. However, not all issues are fully resolved and developments should be closely watched for any emerging threats that may materialize.
http://news.softpedia.com/news/Java-Users-Still-Not-Safe-Experts-Report-New-Vulnerability-to-Oracle-Exclusive-289249.shtml
QUOTE: Researchers from Polish firm Security Explorations – the ones who were the first to report the vulnerabilities which led to the now-infamous Java zero-day – have just reported another similar bug to Oracle. This means that Java users are still exposed, even if they’ve applied the patch released by the company. “The out-of-band patch released by Oracle yesterday, among other things fixed the exploitation vector with the use of SunToolkit class, the one we used in our proof of concept codes. This made many of them not working...Till today,” Adam Gowdiak, founder and CEO of Security Explorations, told Softpedia via email.
“When combined with some of the Apr 2012 issues, the new issue (number 32) reported to Oracle today allows to achieve a complete JVM sandbox bypass in the environment of latest Java SE 7 Update 7 (version that was released on Aug 30, 2012). “What this means is that Java 7 users are still at risk from being exploited and the issues we reported to Oracle need to be addressed,” he added.
The new Zero Day JAVA exploits were patched yesterday by Oracle. A new variant of the OSX Tsunami malware agent may be compromising security protection. It is important to patch all platforms.
http://www.intego.com/mac-security-blog/osxtsunami-variant-found-dropped-by-java-0-day/
QUOTE: A variant of OSX/Tsunami has been found that is rumored to be dropped as a drive-by-download by the new Java 0-day exploit, CVE-2012-4681. This method of infection has not yet been confirmed, but as this OSX malware connects out to the same IP address as the Windows backdoors known to be dropped by CVE-2012-4681, it seems they are at least related incidents. At the time of writing, the JAR file that was purported to be dropping this Trojan has been replaced with a bit of threatening text
Security awareness is shared regarding password reset mechanisms that used by many websites. It's always best to select "Other" and compose a question that only you know the answer to.
http://securitywatch.pcmag.com/web-services/301737-select-strong-secret-questions-to-protect-accounts
http://www.intego.com/mac-security-blog/your-secret-question-may-not-be-so-secret-easy-to-guess-password-retrieval-questions-you-should-avoid-and-why/
QUOTE: Attackers aren't always brute-forcing passwords to compromise accounts. Sometimes, it just as simple as looking at the password reset questions. By now, you should be aware that you need to be selecting long and complex passwords to protect your accounts. You also know that passwords should be unique and never reused among different sites.
But are you being careful about the password recovery question? Also called secret questions, these questions help Websites determine users are who they say they are in case the password is ever misplaced or the account locked. Users generally select one from a drop-down list and provide an answer, presumably one that only they know.
Questions should have the following traits, according to Myers:
* It should be applicable and pertain to your life events.
* It should be definitive and be one answer that does not change, even over time.
* It should be memorable and easy to remember.
* It should be secure so that it's difficult to guess, find the answer online, and long enough to act as a passphrase.
Blackberry users should exercise caution with email as noted in this warning:
http://securitywatch.pcmag.com/none/301904-fake-blackberry-id-emails-spread-malware
QUOTE: Have a BlackBerry? Watch out for a new malware campaign that masquerades as a legitimate account activation mail, Websense researchers warned. The latest malware is spreading and infecting networks using fake emails that inform recipients their BlackBerry ID has been created, researchers from Websense ThreatSeeker Network said. The text of the email is the same as the legitimate BlackBerry account creation notices sent by Research in Motion to new users. It's the attachment that is dangerous. Users are encouraged to download the malicious file and run the attachment. Attackers are then able to drop other malicious files and modify the system Registry, making it automatically run malware programs whenever the system starts.
This critical update should be applied expediently, as attacks are actively circulating
QUOTE: A short while ago, Oracle released updates for both Java 6 and Java 7 in response to the
critical 0-Day vulnerabilities discussed earlier this week, as well as two other security issues. US-CERT has reported that applying Java 7 update 7 will solve the security issues as discussed at
More information is available at
As some employers are demanding access to employee facebook accounts, California joins a couple of other states in curtailing this invasion of personal privacy.
http://facecrooks.com/Internet-Safety-Privacy/california-working-to-ban-employers-access-to-employee-facebook-accounts.html
QUOTE: Earlier this week, the California state senate voted unanimously for a bill preventing employers from demanding access to their employees’ Facebook profiles. It is the latest such move by states looking to prevent privacy rights; similar legislation passed in Maryland and Illinois earlier this year. However, a provision was written into that California bill that would allow employers access to their employees’ accounts to investigate allegations of misconduct or employee violations.
As U.S. states continue to act on this issue, there are questions on the federal level about regulating password access everywhere. Several officials believe that such demands may already violate federal law.
“In an age where more and more of our personal information–and our private social interactions–are online, it is vital that all individuals be allowed to determine for themselves what personal information they want to make public and protect personal information from their would-be employers,” Sen. Chuck Schumer said in a statement to the Associated Press. “This is especially important during the job-seeking process, when all the power is on one side of the fence.”
Sophos security is warning of malicious email messages that appear to come Facebook. Please avoid opening any attachments. This is documented as follows:
http://nakedsecurity.sophos.com/2012/08/28/facebook-friend-photo-malware/
QUOTE: Computer users are being warned to be careful about opening unsolicited email attachments, after a malicious Trojan horse was spammed out posing as a Facebook notification that the recipient is featured in a newly uploaded photograph. The emails, which pretend to come from Facebook.
Unfortunately, the attached ZIP file contains malware, designed to allow hackers to gain control over your Windows computer. Sophos products intercept the malware as Troj/Agent-XNN. Last month, experts at SophosLabs saw another malware campaign posing as a Facebook photo tag notification. On that occasion, the emails did not contain attachments but instead linked to compromised websites which aimed to attack visiting computers with the Blackhole exploit kit.
EXAMPLE OF EMAIL MESSAGE
Subject: Your friend added a new photo with you to the album
Attached file: New_Photo_With_You_on_Facebook_PHOTOID[random].zip
Message body:
Greetings,
One of Your Friends added a new photo with you to the album.
You are receiving this email because you've been listed as a close friend.
[View photo with you in the attachment]
Facecrooks Security shares steps on how to remove the map if desired from the new Timeline feature
http://facecrooks.com/Internet-Safety-Privacy/facebook-timeline-publishes-users-location-data.html
QUOTE: Facebook is requiring all users to switch over to Timeline by fall, but some aspects of the feature aren’t exactly sitting well with users. For instance, some posts are now displaying a map with the location of the user when he or she posts something to Facebook.
Users can remove a link to the map from their timeline, as well as untag their location. However, these actions don’t entirely delete the map, which can still be found under its own URL (facebook.com/your.username/map/).
In other words, there are steps users can take to increase their privacy protection, but they can’t undo Facebook’s invasiveness entirely. If this concerns you from a privacy standpoint, then your best bet is to not approve tags that contain location data.
Follow these directions to remove your Map as a Timeline Favorite:
1.Navigate to your Timeline.
2.Depending on the number of Favorites on your Timeline, you might need to click the down arrow located underneath the Activity Log.
3.Hover over the top right corner of your ‘Map’ to display the edit icon.
4.Click the pencil and then select ‘Remove from Favorites.”
Hopefully an out-of-band patch will emerge sooner than the anticipated mid-September timeframe from Sun/Oracle. Below are approaches to stay protected until a patch arrives:
1. AVOIDANCE -- Stay as safe as possible with respect to email, websites, Facebook, etc ... Stay on mainstream sites and avoid anything suspicious. An ounce of prevention is worth a pound of cure.
2. AV PROTECTION -- Most AV products offer exploit protection fairly soon as they emerge. Below is an example from Trend and other vendors have also recently added protection. Please keep your AV signature files updated, as helps in protecting from emerging threats (including many zero day exploits)
TREND LABS - Zero Day Java exploit
http://blog.trendmicro.com/java-runtime-environment-1-7-zero-day-exploit-delivers-backdoor/
3. DISABLE JAVA -- As noted in this article disabling Java is difficult for IE and it can help in cases where there are no business requirements to use Java
How to Disable JAVA
http://securitywatch.pcmag.com/hacking/302019-security-warning-disable-java-now
http://blogs.technet.com/b/mmpc/archive/2012/08/30/protecting-yourself-from-cve-2012-4681-java-exploits.aspx
When the patch emerges, it will offer the best form of protection and should be quickly installed
In his blog, Ed Bott shares an excellent summary of licence changes associated with Windows 8
Windows 8 - new licensing terms
http://www.zdnet.com/how-the-new-windows-8-license-terms-affect-you-7000003028/
QUOTE: What's changed in Microsoft's radical new license agreements for Windows 8? I've got full details about how you can transfer Windows to a new PC, downgrade rights, and who qualifies for upgrades. I’ve had a chance to inspect the new, radically revised Microsoft license terms in advance of their October release. Earlier this week, I noted the two big surprises: All of the agreements are written in plain language that’s surprisingly easy to understand, and Windows 8 will, for the first time ever, include a new Personal Use License that explicitly permits retail customers to install and run OEM System Builder software. The overpriced full package products will not exist for Windows 8.
On the right side of the Official Microsoft Blog site is a list of numerous blog resources covering virtually every product and technology
Official Microsoft Blog - Master list of blog resources for all products (please see list on right)
http://blogs.technet.com/b/microsoft_blog/
Security firms are warning of two new Java based exploits that are unpatched and actively being used in new malware attacks.
Java - New Zero Day malware spreading for unpatched exploit
http://www.computerworld.com/s/article/9230736/Java_zero_day_exploit_goes_mainstream_100_sites_serve_malware?source=CTWNLE_nlt_virusv_2012-08-29
http://community.websense.com/blogs/securitylabs/archive/2012/08/28/new-java-0-day-added-to-blackhole-exploit-kit.aspx
QUOTE: Attackers using two recently-uncovered Java unpatched vulnerabilities, or "zero-days," have quickly expanded their reach by going mainstream, security experts said today. And on Tuesday, Mozilla, maker of Firefox, joined the chorus of advice that users should disable the current version of Oracle's Java. The company is also ready to automatically block the plug-in from running in its browser, although it has not yet pulled the trigger ... Earlier today we blogged about a new Java zero-day vulnerability (CVE-2012-4681) being used in a small number of attacks. That's about to change as exploit code for the Java vulnerability has been added to the most prevalent exploit kit out there - Blackhole
The first Windows 8 based phone model has been announced as noted below
Windows Phone 8 debutes - Samsung ATIV S model
http://windowsteamblog.com/windows_phone/b/windowsphone/archive/2012/08/29/this-is-the-samsung-ativ-s-the-first-of-many-amazing-windows-phone-8-devices-coming-this-year.aspx
QUOTE: Samsung lifted the curtain on its first Windows Phone 8 device, the ATIV S. This is just the first in a big lineup of new hardware that’s coming with Windows Phone 8, but it’s a seriously impressive opening salvo. Samsung built the ATIV S with the latest and greatest technology, especially for anyone who want a superphone that’s equal parts powerhouse and head turner.
Technet shares key information related to this recent change
Microsoft - Corporate Logo revised
http://blogs.technet.com/b/microsoft_blog/archive/2012/08/23/microsoft-unveils-a-new-look.aspx
QUOTE: It’s been 25 years since we’ve updated the Microsoft logo and now is the perfect time for a change. This is an incredibly exciting year for Microsoft as we prepare to release new versions of nearly all of our products. From Windows 8 to Windows Phone 8 to Xbox services to the next version of Office, you will see a common look and feel across these products providing a familiar and seamless experience on PCs, phones, tablets and TVs. This wave of new releases is not only a reimagining of our most popular products, but also represents a new era for Microsoft, so our logo should evolve to visually accentuate this new beginning.
All corporate and home users should ensure critical Windows updates have been successfully installed this month. The ISC provides a great analysis of current exploits and other guidance in summary form.
Microsoft Security Updates - August 2012
http://technet.microsoft.com/en-us/security/bulletin/ms12-aug
Microsoft Security Updates - August 2012 (ISC analysis)
https://isc.sans.edu/diary.html?storyid=13900
The ISC is reporting a growing trend in automated malware attacks that gleam Facebook credentials and other private information. Malware Spam harvesting Facebook Information https://isc.sans.edu/diary/Malware+Spam+harvesting+Facebook+Information/13981...
More Posts
Next page »