Recent Posts


Email Notifications

Personal Links


Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

March 2013 - Posts

SPAM Protection - Lower detection rates in March 2013

Virus Bulletin tests note that anti-spam products are having more difficulty in automatically stopping these unwanted messages due to advancement in techniques by spammers

QUOTE: Virus Bulletin announced the results of its latest anti-spam comparative review: 17 solutions achieved a VBSpam award, but the majority did so with a lower spam catch rate than in recent tests. Nine out of the 19 full solutions tested saw the percentage of spam they missed at least double, with only three products improving their catch rates. A spam email was almost twice as likely to make it to a user's inbox compared to the previous test.

Most products had more difficulty with legitimate emails as well, with only four solutions correctly identifying all of them, and products had even more difficulty blocking phishing emails. More than half of the solutions missed at least 10% of the emails in a dedicated feed of phishing emails. "Spam has been a relatively good news story in recent years, with spam levels declining while catch rates remained high," said VB's Anti-Spam Test Director, Martijn Grooten. "But in spam filtering, the devil is in the details, and when we look at these details, we see more emails slipping through the maze."   This is not the first time Virus Bulletin has observed a drop in products' spam catch rates: a similar drop was observed early last year, with the decline continuing throughout the first half of the year.

April Fools Day 2013 - Top scams and Malware alert

While many practical jokes and pranks will surface tomorrow, best practices are required for safety

QUOTE: April Fools’ Day is a time for practical jokes, hoaxes and laughs. However, it’s important to understand that April Fools’ Day is also an ample opportunity for cybercriminals to capitalize on the popular day and its events for their own nefarious purposes.  To help you make sure cybercriminals don’t get the last laugh this April Fools’ Day - and to give you a few laughs, too - Kaspersky Lab has compiled a few of the top April Fools’ Day hoaxes throughout history and tips on what to look out for to stay safe online.

Safety tips for April 1, 2013, with focus on ransomware:

* Watch out for ransomware: Like the example above, cybercriminals take over your computer, offering to “clean it up” for a fee. Sometimes this technique masquerades as fake anti-virus. Don’t trust messages warning that your Internet or computer is shut down or infected.

* Don't click on pop-up windows even if they aren't blocked by the browser security or other security solutions. You should only click on messages from a legitimate antivirus solution installed on the computer. Ignore any messages warning you of infection that appear randomly while you're browsing the Internet

* Legitimate programs designed to combat malware will never first scan a computer and then demand money for activation. You should never pay for a product which does this: install a genuine antivirus solution developed by a well-known antivirus company and use this to scan and clean your computer.

* If you find an unknown antivirus program on your computer, check whether the vendor has an official site and technical support. If it doesn't, it is definitely a rogue antivirus.

Avira Security - Twenty Internet Safety tips for 2013

Many best practices are shared in this excellent list of 20 protective techniques

Mobile Phone Security - Targeted Malware attacks as next step

McAfee Security highlights potential growth in specialized targeted attacks during 2013

QUOTE: The Android threat landscape continues to evolve in 2013. To distribute Android threats, malware authors are transitioning away from attacking traditional vectors like the Google Play Market and third-party Android markets to vectors like spam and phishing emails and SMS.  Recently a new information-stealing Android malware was found being distributed as an attachment in emails as part of a targeted attack against Uyghur, Mongolian, Tibetan, and Chinese activists. The social-engineering attack was carried out through email consisting of an invitation to the “World Uyghur Congress” (WUC) and an attachment pretending to be a letter on behalf of WUC, the Unrepresented Nations and Peoples Organization, and the Society for Threatened Peoples. In reality the file was the Android application “WUC’s Conference.” After downloading, the application asks for the following suspicious permissions:

TDL Rootkit - New variant uses Google Chrome application framework for control

This new variant uses Google Chrome application framework for control, replacing legitimate library components with those controlled by the rootkit itself

QUOTE:  Tidserv (a.k.a. TDL) is a complex threat that employs rootkit functionality in an attempt to evade detection. The malware continues to be on the Symantec radar since its discovery back in 2008. The latest variant of Tidserv being distributed in the wild has began to employ the legitimate Chromium Embedded Framework (CEF). While this may not be the first time a malware has made use of a legitimate framework for nefarious purposes, this new Tidserv variant requires the download of the 50 MB framework to function correctly, which is an unusual thing for a threat to do.  The CEF provides a Web browser control based on the Google Chromium project. This allows developers to build applications that include Web browser windows. The CEF libraries perform all of the functionality required to run the browser, such as parsing HTML or parsing and executing JavaScript.

Easter 2013 - New Spam and malware attacks

Symantec warns of several new spam and malware attacks actively circulating

QUOTE: Easter Sunday is one of the most important festivals in the Christian calendar and it is observed anywhere between March 22 and April 25 each year; this year it falls on March 31. Spam messages related to Easter have begun flowing into the Symantec Probe Network. As expected, most of the spam samples are encouraging users to take advantage of products offers, personalized letters, e-cards, as well as clearance sales of cars and replica watches. Clicking the URL will automatically redirect the user to a website containing some bogus offer.

Spammers are also exploiting the event by sending casino spam email using the name "Easter bonnet". The Easter bonnet represents the tail-end of a tradition of wearing new clothes at an Easter festival.  The following spam sample provides instructions for ways that users can acquire a "bonus".

1. "Three different bonuses can produce some extra winnings."
2. "Make your deposit and get free spins."
3. "Free welcome package up to $500."

Symantec advises our readers to be cautious when handling unsolicited or unexpected emails

Apple iCloud - Two factor security authentication offered

Apple has enhanced security in iCloud by offering two factor security authentication, which provides a 4 digit pass key back to the users mobile phone

QUOTE: Apple has bolstered the security in its iCloud, App Store and iTunes service in a bid to prevent hacking. The services will now offer two-step verification in order to prevent unauthorized access. Once activated, the additional security measure sends a four-digit number to a user's phone via a text message. This is in addition to entering the regular Apple ID password associated with the username.

The function is enabled when a user access an Apple service such as downloading content from the App Store, a forgotten password or getting Apple ID-related support. Apple said in a statement that it took customer privacy "very seriously". "Two-step verification is an even more robust process to ensure our users’ data remain protected.  "Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account. After you sign in, you can manage your account or make purchases as usual.

Mobile and Desktop Botnet attacks continue growth in 2013

Botnet attacks continue to grow, including a major increase in mobile phone attacks

QUOTE: Botnets weren't always malicious. According to a report by Symantec called The Evolution of IRC Bots, botnets were originally designed to automate basic tasks on IRC and allowed IRC operators to link instances of the bot together and manage its power. Eventually, botnets were used to perform DoS attacks and other malicious activities as computer users realized the potential collective power botnets had.

Mobile Botnets on the Rise - Although not as prevalent as their computer counterparts, mobile botnets have been on the rise, with the rate of infections of mobile devices growing exponentially. Mobile malware has passed the point of simple hidden SMS fraud. According to Henderson, researchers are finding mobile malicious apps that are extensions of popular computer botnet software. For example, a mobile version of the Zeus bot intercepts mobile banking logins and sends the credentials back to its owners. This provides the owners with another means of stealing funds from victims.

Enjoy Social Networking? So Do Botnets - Now that botnets have upgraded to the affiliate model of spreading malware, social networks have become another means of infection and it can happen to anyone. Once a botnet controls your computer, it's a simple matter for the owner to post a malicious link on your social networking account.

Botnet defenses - In order to protect a mobile device, Henderson recommends that a user try out mobile antivirus, especially those who own Android devices. He also advises that users be cautious when installing third party apps, including iOS users who made the decision to jailbreak their phone. For non-mobile devices, Henderson suggests that users keep their software up-to-date at all times and uninstall unnecessary applications, such as Java and Flash. Botnet and malware authors take advantage of every vulnerable moment, don't get caught off-guard.

Mobile Phone Security - Hacking attacks increase in 2013

This NBC news article enumerates how Smart Phone attacks are more popular outside the USA, but are still a growing world-wide threat

QUOTE: Devastating cellphone hacks that hijack your most personal gadget and rob you of privacy and money have long been forecast. But even as smartphone users in Asia are beginning to suffer exploding bills and emptied bank accounts at the hands of hackers, U.S. users largely remain safe and blissfully unaware of the gathering threat

They took a year-old mobile virus named NotCompatible, which allows hackers to take complete control of a phone, and posted the malicious code on websites. Then they sent out enticing spam emails with links to the booby-trapped sites. The emails were all the more tempting because they appeared to come from friends or others on the recipients’ contact list.  Victims who clicked on the link from their phones and downloaded the file surrendered control of their Android phones to the criminals. Security firm Lookout says 10,000 customers per day are still being tricked to click on the bogus link and landing on the booby-trapped pages, and virtually all of them are in the U.S.

U.S. smartphone users have been spared much grief from mobile malware so far for a variety of reasons. Chief among them: Most users get their apps from a centralized and safe source. Apple keeps tight controls on its App Store, so malware writers are largely ignoring that platform. And while Google's Play Store for Android is not as tightly controlled, criminals haven't had much luck sneaking infected software onto that platform, either.  That leaves hackers with time-consuming, clumsy methods, such as tricking users to visit a rogue website and electing to install an app.

Android attackers in other parts of the world have an easier time. In China, for example, it's hard to access Google's Play store, so consumers often get their apps from websites. That means rogue apps on random websites raise less suspicion.

SpamHaus DDoS attack - in depth analysis

PC Magazine security shares an in-depth analysis of the Spamhaus DDoS attack:

QUOTE: Distributed Denial of Service is the topic of the day, due to a recent massive DDoS attack by Dutch Web host CyberBunker against spam-fighting agency SpamHaus. Just how significant was the collateral damage to the rest of the Internet? CloudFlare, a Web security company directly involved in defending SpamHaus against the attack, likened it to a nuclear bomb, but Keynote Systems, a company that tracks website availability and response time, said it was no more than a blip.

How the attack worked -- A Denial of Service attack simply overloads the victim's servers by flooding them with data, more data than the servers can handle. This can disrupt the victim's business, or knock its website offline. Launching such an attack from a single Web location is ineffective, as the victim can quickly block that traffic. Attackers often launch a Distributed Denial of Service attack via thousands of hapless computers controlled by a botnet.

What Can Be Done -- Wouldn't it be nice if someone would invent technology to foil such attacks? In truth, they already have, thirteen years ago. In May of 2000, the Internet Engineering Task Force released the Best Current Practices paper known as BCP38. BCP38 defines the problem and describes "a simple, effective, and straightforward method... to prohibit DoS attacks which use forged IP addresses."

Lock It Down -- "Your authoritative server should be available to anyone on the Internet, however, it should only respond to queries about your company's domain." In addition to the outward-facing authoritative DNS server, companies need an inward-facing recursive DNS server. "A recursive DNS server is intended to supply domain lookups to all your employees," explained Nachreiner. "It should be able to reply to queries about all sites on the Internet, but it should only reply to people in your organization."

Mobile Phone users - Facebook checked 14 times per day

As noted in recent study, smart phone users average 14 queries per day to check on FB updates:

QUOTE: People with smartphones check their Facebook pages an average of 14 times each day. They scroll through news feeds while running errands, comment on friends' posts while shopping or at the gym, post a photo of their food plate before dinner. This adds up to an average of about 32 minutes of Facebook time on their phone every day.

Google Chrome 26 release resolves security issues

Chrome has released during updates during March 2013 as follows:  

QUOTE:  Google team has updated its web browser to Google Chrome 26.0.1410.43. Chrome 26 comes to you with security fixes for multiple bugs, resolving 2 high-level flaws, 4 medium-level flaws, and 5 low-level flaws. Google awarded $1,000 in cash to a security researcher who provided information about one of the high-level vulnerabilities (CVE-2013-0916) covered in this software update.

Facebook - New Fake login phishing scam for March 2013

AVAST warns of an improved FB authentication attack currently circulating:

QUOTE: Another wave of Facebook phishing is spreading among Facebook users. Imagine you get a message from another Facebook user with a link to a new amazing Facebook app. Even if the sender is not your friend, you decide to go to the link. Instead of an application you see a fake Facebook login page.

Tax Season 2012 year-end - scams circulating

As noted by Sophos, please be careful of tax scams circulating currently:

QUOTE: In the US, To remind taxpayers to be on the lookout for scams ranging from identity theft to return-preparer fraud, the Internal Revenue Service (IRS) on Tuesday posted its Dirty Dozen list of tax scams for 2013. The IRS compiles the list every year. It notes that taxpayers can expect the scams any time of year, but many of the schemes peak now, during filing season.

Major DDoS Attacks - Lock down Open DNS resolvers

Spamhaus, a major anti-spam group, has experienced unparalleled DDoS attacks (e.g., DDoS attack streams up to 300 gbps).  Key safety advice is shared to mitigate this scale of attack so that a complete loss of the site does not occur:

QUOTE: The message then for anyone who maintains Internet infrastructure is simple: Lock down your DNS repeaters. "If you are an administrator of DNS services, it is critical that you configure your recursive name servers to only reply to your own network," Wisniewski said. "If you must provide public DNS, be sure to apply filtering for abusive queries and ensure the frequency of queries is commensurate with your expected volumes."

CloudFlare has been publicly calling on businesses to lock down their open DNS resolvers to help stem DDoS amplification attacks, which can easily achieve 100 Gbps of throughput. As of late 2012, CloudFlare reported seeing a single attack that used more than 68,000 DNS servers, while this week's anti-Spamhaus DDoS attacks used more than 30,000 unique DNS resolvers. "We're lucky they used only 30k DNS resolvers,"  said Eugene Kaspersky, CEO of Kaspersky Lab, on Twitter.

That's because, thanks to the use of DNS responders, attackers could punch well above their weight. "Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750 Mbps -- which is possible with a small-sized botnet or a handful of AWS [Amazon Web Services] instances," said CloudFlare CEO Matthew Prince in a blog post. "Open DNS resolvers are the scourge of the Internet and these attacks will become more common and large until service providers take serious efforts to close them."

Spamhaus - Largest DDoS attack in history at 300 gbps

Spamhaus, a major anti-spam group has been under attack for several days.  The scope of this attack is shared in following article:

QUOTE: Spamhaus, a group based in both London and Geneva, is a non-profit organisation that aims to help email providers filter out spam and other unwanted content.To do this, the group maintains a number of blocklists - a database of servers known to be being used for malicious purposes.

The attackers have used a tactic known as Distributed Denial of Service (DDoS), which floods the intended target with large amounts of traffic in an attempt to render it unreachable. In this case, Spamhaus's Domain Name System (DNS) servers were targeted - the infrastructure that joins domain names, such as, the website's numerical internet protocol address.

Mr Linford said the attack's power would be strong enough to take down government internet infrastructure. "If you aimed this at Downing Street they would be down instantly," he said. "They would be completely off the internet."  He added: "These attacks are peaking at 300 Gbps (gigabits per second).

The knock-on effect is hurting internet services globally, said Prof Alan Woodward, a cybersecurity expert at the University of Surrey."If you imagine it as a motorway, attacks try and put enough traffic on there to clog up the on and off ramps," he told the BBC. "With this attack, there's so much traffic it's clogging up the motorway itself."

Arbor Networks, a firm which specialises in protecting against DDoS attacks, also said it was the biggest such attack they had seen. "The largest DDoS attack that we have witnessed prior to this was in 2010, which was 100 Gbps. Obviously the jump from 100 to 300 is pretty massive," said Dan Holden, the company's director of security research.

Facebook - Improved Who viewed Profile scam circulating in March 2013

The "Who has viewed your Profile" scam has been one of the most popular ones circulating.  The latest version has been greatly enhanced to import friend photos and should be avoided.

Scam Message: Who Viewed Your Profile – Introducing the new “Who Viewed Your Profile” feature on facebook!  The scam creators cleverly import the profile pictures of the user’s Facebook friends to make the scam appear more legitimate.

Scam Type: Profile Viewer, Rogue Browser Extension

Trending: March 2013

Why it’s a Scam: Clicking the scam link takes you to an external website and you are prompted to install the browser extension shown below:  who_viewed_your_profile. It’s important to remember that anything offering to show you who has viewed or visited your profile is certain to be a scam. Facebook doesn’t allow developers access to the data required to create such apps or extensions.

How to Deal with the Scam: If you did make the mistake of installing the rogue browser extension, then use the guide shown below to remove it:

Facebook - Messaging System new vulnerabilities found in March 2013

Facecrooks Security warns of new vulnerabilities as noted below

QUOTE:  For the second time in a month, Goldschlager has found a dangerous loophole in Facebook’s messaging system that could’ve allowed any savvy hacker access to a users’ information.  Goldschlager said, “Even if the victim has never allowed any application in his Facebook account, I could still get full permission on his account via Facebook Messenger app_id.”

Last month, Goldschlager found a dangerous glitch in the system that allowed him to tinker with Facebook URLs and access any users’ information through Facebook’s app system, OAuth, without them even having to approve an app request. It was reported that Goldshlager has again found a very similar loophole on the site and reported it.

“It was a very similar bug (with a similar fact pattern) and, as you can see from the post, we were able to fix it almost immediately. We have provided bounties to over 200 researchers, and Mr. Goldshlager has reported multiple vulnerabilities to us in the past, said Facebook Security Policy Manager Frederic Wolens, speaking to MarketWatch. Wolens further stated that Facebook believes no users were impacted by the bug.

Corporate Trustworthy Computing Requires Security Awareness

QUOTE: Over a decade ago, Microsoft initiated an initiative for their company called Trustworthy Computing. At the time, it was a revolutionary concept that set out to fortify internal product security and improve associated human behavioral controls. Today, every company must employ a similar strategy to protect its information resources.

Creating a trustworthy computing environment takes years of focused and dedicated effort. Microsoft and other companies are continuing to build on this innovative strategy. Today, we see measureable benefits from this process of improving product security and emphasizing user education. Training and motivating people to safely process information are challenging in our flexible and highly connected environments. A well designed security awareness program is a key resource to accomplish this goal.


PCI Standards & Documents Library resources

For organizations supporting PCI/DSS standards, this link offers a wealth of free resources to help design programs for compliance

More Posts Next page »