May 2013 - Posts
Over a dozen utility companies have acknowledged they experience daily attacks as noted in the Bit9 security blog:
QUOTE: A recent report by Reps. Edward Markey (D-Mass.) and Henry Waxman (D-Calif.) referenced more than a dozen utility companies that acknowledged they experience daily persistent cyber attacks. Although statistically similar to companies in other sectors, there is more concern because a cyber attack on the U.S. energy sector has potential to be economically devastating and lead to loss of lives.
Even though North American Electric Reliability Corporation (NERC) compliance standards forbid control systems being connected to consumer-facing or administrative networks, NERC’s reach only goes so far, leaving out oversight on important industries such as oil and gas. We hear regularly about “N” million credit card numbers hacked or “Q” million user credentials stolen, despite the fact that almost all of the affected companies were PCI compliant.
When utilities start thinking that compliance = security, that’s a problem. Compliance is a great place to begin the security conversation, but organizations need to go further than what’s mandated. When we think of legacy hardware out in the field that a) need to be connected to the Internet to receive up-to-date antivirus protection, or b) are not connected to the Internet and therefore have static protection, we have to ask ourselves if these systems are really protected at all.
Potential new BIOS security attacks are being analyzed by security researchers with possible POC malware demonstrated at the next Black Hat convention this summer
QUOTE: As more hardware vendors seek to implement the new NIST 800-155 specification that was designed to make the start-up BIOS firmware on our PCs and laptops more secure, they may need to rethink the security assumptions upon which the standard depends. A trio of researchers from The MITRE Corp. say that the current approach relies too heavily on access control mechanisms that can easily be bypassed. The researchers are taking their message to Black Hat USA later this summer in a talk where they plan to unveil new malware proofs-of-concept that can trick an endpoint's Trusted Platform Module (TPM) chip into thinking the BIOS firmware is clean and can persist infecting the BIOS after it has been flashed, or reset, or even after it has been updated.
"The first one we're going to introduce is called the tick, which is a stealth malware that lives in the firmware, so it's persistent past reflashes and is able to forge the TPM's PCR values to provide a known good expected value," Butterworth says. "The second one we'll introduce what we call the flea because it is able to jump from one BIOS revision to the next. Whereas the tick can easily be removed if you simply update or upgrade your BIOS revision, the flea is actually able to sense that firmware is about to be updated and is able to clone itself into the update image."
Effective July 1st, revised US privacy laws will require parental consent. As this article from Facecrooks security notes, improved controls are needed to ensure all users meet age restriction requirements.
QUOTE: More and more teenagers (and even preteens) are moving away from traditional social media sites like Facebook and Twitter and embracing photo-sharing services like Instagram and SnapChat. However, while pre-teens are not technically allowed to use Instagram (the minimum age is 13), many do easily, and with few questions asked. “Facebook is not doing enough to ensure children under 13 don’t have access to the site,” said Joy Spencer, a director of child safety for the Center for Digital Democracy. “That raises a number of concerns about safety, and because Instagram then is able to collect personally identifiable information on children, which can be used to target ads toward them in the future.”
Instagram does not ask for any personal information during registration, allowing pre-teens to easily register for the site. (Facebook, for its part, asks personal information to determine if someone is underage.) However, a new revision to U.S. child privacy law that takes effect on July 1 will require social networks to get parental consent if they collect personal information such as photos, email addresses or videos from underage users. Determining age online is difficult, and the new revision on July 1 will be even harder to police. However, photo sharing sites like Instagram are exploding in popularity among young users, and the sites’ privacy settings must catch up to the boom.
While link below is more oriented to Apple OSX environment, version 27 also became available for Windows also
The Google team has updated its web browser to Google Chrome 27.0.1453.93 for Mac and other operating systems, which includes security fixes for fourteen vulnerabilities (11 high-level bugs, 2 medium-level bugs, and 1 low-level bug). Google provided $14,633.70 in rewards to the security researchers who provided information about the vulnerabilities covered in this software update. Following are details of all security issues fixed in Chrome version 27.0.1453.93:
CVE-2013-2836: Various fixes from internal audits, fuzzing and other initiatives.
CVE-2013-2837: Use-after-free in SVG.
CVE-2013-2838: Out-of-bounds read in v8.
CVE-2013-2839: Bad cast in clipboard handling.
CVE-2013-2840: Use-after-free in media loader.
CVE-2013-2841: Use-after-free in Pepper resource handling.
CVE-2013-2842: Use-after-free in widget handling.
CVE-2013-2843: Use-after-free in speech handling.
CVE-2013-2844: Use-after-free in style resolution.
CVE-2013-2845: Memory safety issues in Web Audio.
CVE-2013-2846: Use-after-free in media loader.
CVE-2013-2847: Use-after-free race condition with workers.
CVE-2013-2848: Possible data extraction with XSS Auditor.
CVE-2013-2849: Possible XSS with drag+drop or copy+paste.
In addition to security fixes, the Google team mentioned the web browser includes the following new items:
* Web pages load 5% faster on average
* chrome.syncFileSystem API
* Improved ranking of predictions, improved spell correction, and numerous fundamental improvements for Omnibox predictions
Chrome 27 also contains a new Adobe Flash build. You can find more information about Adobe’s newest software updates here.
This article shares techniques to create stronger passwords
QUOTE: In a recent study, Deloitte reported that over 90 percent of passwords created by individual users are "vulnerable to hacking in a matter of seconds." This includes stupid passwords like "password" and "123456," but also includes "those considered strong by IT departments." The researchers determined that a dictionary of the 10,000 most common passwords would match over 98 percent of all secured accounts. How can you improve your passwords? Sophos suggests you just need to be smart. Well, actually, they suggest you need to be S.M.A.R.T. That's a reminder to use five specific best practices when creating passwords: Strong, Multi-character, Avoid associations, Random, and Tools.
This new phishing attack targets page administrators to divulge credentials that could be misused later
QUOTE: A new phishing scam on Facebook claims that page administrators need to verify page ownership by submitting their Facebook username and password. Of course, it’s just a ploy to divest users of their personal info, as is made abundantly clear in the scam’s poorly-worded and grammatically incorrect “official” message from Facebook:
“Dear Facebook User,” the scam message reads, “You are receiving this message to notify you about the new security feature from Facebook called ‘Fan Page Verification Program’. After many Fan Pages have been stolen lately leaving us no choice but Deleting them forever, we had to come up with an original solution about the Fan Page’s Security. Luckily, your Fan Page, has a lot of likes and provides High Quality Content, which qualify it for this program.”
Summary from several evaluations below:
QUOTE: Microsoft announced Thursday that Windows 8.1 will restore the Start button and include a boot-to-desktop option, confirming a series of reports published the previous afternoon. At face value, the tweaks smooth over several of Windows 8's most-criticized rough edges.
* START BUTTON: Desktop diehards will find a present waiting for them in Windows 8.1, the impending upgrade colloquially dubbed "Windows Blue." A wonderful, horrible, oh-so-teasing present. The Start button is back--but the Start menu isn't. Instead, clicking the old familar button will dump you into the modern UI Start screen. While the new feature is notable for adding a helpful visual cue to an operating system rife with hidden menus, it isn't exactly what people begging for the return of the Start button were looking for
* BOOT DESKTOP MODE: The modern-style PC setting options is also getting a big boost. One of the biggest complaints about Windows 8 is the way it constantly swaps you back and forth between the desktop and modern interfaces, a problem exacerbated by the fact that you have to dive into the desktop control panel to tinker with under-the-hood stuff. No more.
* IE11: Internet Explorer 11 will make its debut in Windows 8.1, as well. While most of the tweaks sounds fairly basic--faster page loads, better touch performance--it's also adding the tab syncing feature seen in leaked builds of Blue, allowing you to open tabs across multiple Windows 8.1 PCs and tablets.
* DEVICE SYNC: Speaking of, Windows 8.1 also adds the ability to sync your settings and Start screen apps across multiple devices, assuming you sign in to those devices using an online-connected Microsoft account.
* TILE RE-SIZING: More minute improvements include more Live Tile sizing options, additional category filters in the All Apps screen, and a plethora of Start screen tile shuffling options.
SLIDE SHOW - sneak preview of new features
Firefox 23 features improved security for webpages with mixed http and https modes
QUOTE: Firefox 23 moved from Nightly to Aurora this week, bundled with a new browser security feature. The Mixed Content Blocker is enabled by default in Firefox 23 and protects our users from man-in-the-middle attacks and eavesdroppers on HTTPS pages. When an HTTPS page contains HTTP resources, the HTTP resources are called Mixed Content. With the latest Aurora, Firefox will block certain types of Mixed Content by default, providing a per-page option for users to “Disable Protection” and override the blocking.
QUOTE: Cyber-criminals stole more than a half-billion dollars last year, relying on a variety of scams including fake sales, extortion, and scareware, according to the latest figures from the Internet Crime Complaint Center. The Internet Crime Complaint Center (IC3) received 289,874 complaints, or approximately 24,000 complaints a month, in 2012, according to the 2012 Internet Crime Report released this week. Nearly 40 percent of the complaints reported some kind of financial loss, for a grand total of $525,441,110. The average loss for those who claimed a financial impact was $4,573, according to the report
Further Details on "Windows Blue" project announced today.
QUOTE: Windows 8.1 will advance the bold vision set forward with Windows 8 to deliver the next generation of PCs, tablets, and a range of industry devices, and the experiences customers — both consumers and businesses alike — need and will just expect moving forward. It’s Windows 8 even better. Not only will Windows 8.1 respond to customer feedback, but it will add new features and functionality that advance the touch experience and mobile computing’s potential. Windows 8.1 will deliver improvements and enhancements in key areas like personalization, search, the built-in apps, Windows Store experience, and cloud connectivity. Windows 8.1 will also include big bets for business in areas such as management and security – we’ll have more to say on these next week at TechEd North America. Today, I am happy to share a “first look” at Windows 8.1 and outline some of the improvements, enhancements and changes customers will see.
Mac OSX users should ensure they have up-to-date AV security controls in place plus carefully process email to bypass suspicious items.
QUOTE: New variants of a backdoor trojan named OSX/FileSteal have been found to be targeting activists via targeted email. The trojan is signed using a developer certificate to bypass certain levels of Gatekeeper protection. At the time of writing, the certificate has been revoked and the servers used by the threat have been sinkholed and as such the threat has been effectively neutralized. As new variants could continue to be created, it is best to continue to exercise caution, particularly if you’re in a targeted group.
The backdoor itself is, like previous variants, very basic in functionality. It copies itself to the User’s home folder (whereas the original variant copied itself to the /Applications folder) and adds itself to the user’s login item to be launched on every startup. It does this using the same Applescript as used by the original OSX/FileSteal.A variant. The backdoor silently takes screenshots of the affected user’s machine, which are put it in the ~/MacApp folder. The threat then sends collected screenshots in PNG format to one remote website, and it sends other collected user info to another, separate site. The various sites used by the backdoor are not responding at this time.
As recently documented Facebook will make improvements to better control of it's content:
QUOTE: Earlier this week, the women’s rights group Women, Action & The Media sent an open letter to Facebook demanding that they revise their policies regarding offensive content on the site. Facebook vice president Marne Levine published a post on Tuesday promising greater action from the site to stamp out hate speech.
“In recent days, it has become clear that our systems to identify and remove hate speech have failed to work as effectively as we would like, particularly around issues of gender-based hate,” she wrote. “We have been working over the past several months to improve our systems to respond to reports of violations, but the guidelines used by these systems have failed to capture all the content that violates our standards. We need to do better – and we will.”
She went on to lay out a step by step plan of how Facebook is going to improve its policing of hate speech. The plan includes:
* Soliciting feedback from legal experts and representatives from discriminated groups regarding Facebook’s Community Standards
* Updated training on finding offensive content
* Increased accountability for the creators of offensive content
* More direct and transparent communication with concerned groups
Microsoft has strengthened IE security for many of the vulnerabilities discovered during a recent security convention. All home and corporate users should update their systems promptly with the May security updates.
QUOTE: MS13-037 addresses a number of vulnerabilities in Internet Explorer, several of which were reported to us by the TippingPoint Zero Day Initiative (ZDI) program. We’ve gotten questions from customers about the specific vulnerabilities purchased by ZDI from the CanSecWest pwn2own contest. We’d like to use this blog post to provide more background on the set of vulnerabilities required for an attacker to exploit modern-day browsers and the state of fixes for those specific vulnerabilities.
Several years ago, a single memory corruption style vulnerability in the browser could be directly leveraged to compromise a system, could be used to run code in the context of the browsing user. Microsoft has invested heavily in platform-level mitigations for client-side applications such as browsers to the extent that today multiple different vulnerabilities must now be discovered and chained together in an exploit to compromise a system. A single memory corruption style vulnerability is just the start of an attacker’s discovery process. Typically, the attacker would need to also need to bypass ASLR and discover a way out of the IE Protected Mode limited code execution environment.
ZDI reported five separate vulnerabilities to Microsoft as a result of the contest:
* VUPEN’s IE10 exploit
--- IE10 memory corruption style remote code execution vulnerability (CVE-2013-2551)
--- IE post-exploitation Low Integrity -> Medium Integrity escalation (CVE-2013-2552)
* MWR Labs (Jon Butler and Nils) Chrome exploit
--- Windows kernel elevation of privilege to escape sandbox (CVE-2013-2553)
* VUPEN's FireFox exploit
--- Windows LDRHotpatch ASLR/DEP bypass (CVE-2013-2554)
* VUPEN's Adobe Flash exploit
--- IE9 broker issue used in the exploit for Adobe Flash (CVE-2013-2556)
Zeus (ZBot) is specialized trojan horse that data mines the infected user's session for login credentials, bank account information or other sensitive information. Users should ensure their systems are free from malware while conducting banking or other sensitive e-commerce activities.
QUOTE: The Zeus banking Trojan is back, with new code and capabilities, Trend Micro researchers said recently. After practically no activity in January, Zeus variants surged in the beginning of February and continued to be active each month, peaking during the middle of May. The newer variant behaves differently once it infects the computer, but it still steals login information from financial Websites and other sensitive sites.
Zeus was essentially quiet most of last year and beginning of this year after Microsoft and its law enforcement partners successfully seized several Zeus command-and-control servers in March 2012. At the time, Microsoft acknowledged that the campaign against Zeus wasn't a complete takedown effort because there were more C&C servers that were still operating. Even so, Microsoft disrupted operations and crippled key components of the infrastructure to make Zeus not as common as it used to be.
Zeus is an information-stealing Trojan designed to steal online login credentials to sensitive sites from users, such as online banking and email accounts. Zeus also steals personally identifiable information. Previous variants saved stolen data and configuration file inside a Windows system folder and modified the hosts file so that users couldn't access security-related sites. The configuration file contains the names of financial institution the malware looks for in the user's browser session.
Independent anti-virus test sites provide one valuable point of view in choosing an AV product, and it's always beneficial to evaluate other sources of input as well.
QUOTE: For a number of years German antivirus lab AV-Test rated antivirus products on three criteria: Protection, Repair, and Usability. Starting last month, they switched to Protection, Performance, and Usability; Performance previously was considered just a facet of Usability. The researchers will continue to test each product's ability to repair existing malware infestations, but in a separate, dedicated test.
Bitdefender remains the top scorer in this test, with a total of 17 out of 18 possible points. If you trust the testing methodology used by AV-Test, you could hardly go wrong selecting this vendor. Norton took the next-highest score, 16 points. With 15.5 points each, Avast!, F-Secure, and Kaspersky also received special honors from AV-Test. The biggest score changer among these consistent top products was F-Secure, with a full 1.0 points better than the last time. The rest went up or down by no more than 0.5 points. Getting a good score in one antivirus test is fine, but staying consistently near the top is even better.
AV TEST - Home Page
The ISC warns to please be careful of emails, links, mobile donations, etc. associated with recent disaster in Oklahoma. It is always best to donate to the most mainstream organizations such as the Red Cross to ensure monies will go to those in need.
QUOTE: I find it sad that in times when people are facing disaster, many have died, others missing, and the survivors facing having lost everything that there are scumbags who will try to take advantage. Be very wary of any charity that is raising funds for victims of any disaster, particularly one that has not been around for very long. There are many legit charities, I would recommend sticking to ones you are already familiar with. The American Red Cross for example has been around for a long time, does amazing work, and is always in need of funding. They are just one example of a well established charity that does good work and is already involved in helping out in Moore, Oklahoma.
As the Yahoo spam filtering did not catch this new incident circulating, this new attack was discovered in my inbox this morning.
However IE 10 shows the malicious URL when hovering link
The social engineering behind these attacks is to create anxiety for the user
If they do not carefully check, they can disclose their user credentials for email or other personal information to unauthorized users.
----- Forwarded Message -----
From: Yahoo!(c) Mail Inc <spoofed-email-address>
To: Harry Waldron
Sent: Thursday, May 23, 2013 7:03 PM
Subject: **********Validate Your Account**********?
Yahoo has discovered series of illegal attempts on your Account from a bad IP Location and will shut down your account as it has been flagged as a spam account. We are hereby suspending you account as it has been used for fraudulent purposes.. Click Here <Non-Yahoo-URL-malicious-site>
to restore your account. Thank you for being a loyal Yahoo! Mail user.Regards,Yahoo! Account Services
Microsoft Security Essentials is basic and impacts performance less than many products. Recent product testing rates other AV product performances against the MSE performance base line
QUOTE: However, you use your computer every day, and the last thing you want is protection that slows down everyday tasks. AV-Comparatives researchers have once again put a collection of popular products to the test, identifying which will let you sail along unhindered and which will put a drag on performance.
The report doesn't specifically include Microsoft Security Essentials among the products tested. Rather, the researchers took the case of a Windows 7 installation with MSE active as a baseline for comparison. They found that about a third of the products tested impacted performance less than MSE alone, so replacing the default antivirus with one of these would actually speed up your computer!
Antivirus protection needs to get working as early as possible in the boot process, preferably before any malware processes start. On the other hand, engaging full antivirus protection can slow the boot process. Some products resort to putting off full protection in order to minimize impact on boot time. According to the report, some load their services "very late (even minutes later)," so boot-time testing isn't necessarily relevant.
The report doesn't include boot-time testing, but AV-Comparatives researchers did perform a spot check to see which products actually load their protection as early as possible. They found that all except AVG, Bitdefender, eScan, Kingsoft, Microsoft, and Sophos delayed full protection to some degree. The others permitted the test malware to launch, and whacked it later on after completing their own initialization. I definitely favor completely preventing malware attack to allowing the attack and then trying to undo the damage.
This article shares the latest developments in monitoring employee activites for security purposes. It also shares challenges of personal device activity (BYOD) in corporate setting
QUOTE: The idea of a totalitarian government monitoring your every move is probably still the stuff of fiction, but that doesn't mean your boss doesn't have a pretty good idea of your workday habits. Experts say an abundance of fast-developing new technology is making it cheaper and easier for employers to read your e-mails, check out what you’ve been looking at on the Internet, track where you go with a company car or cell phone and find out when and where you were at work.
Of course, employers have good reason to want to know whether employees are stealing corporate secrets, sending out harassing e-mails or just goofing off on the job. But experts say many companies are still trying to figure out a balance between monitoring wrongdoing and just plain snooping.
Employers generally have the right to monitor employee e-mails and other online activity that happens at work, or even on a company cell phone or corporate network, said Lothar Determann, a partner at Baker & McKenzie LLP in Palo Alto, Calif., and author of “Determann’s Field Guide to International Data Privacy Law Compliance.” But they can only do so if they make clear to their employees that workers should have no expectation of privacy.
This "pop quiz" can be taken quickly and shares realistic examples for many of the latest attack scenarios. While I got almost all items right, I did miss a couple of questions by not reading question thoroughly or not choosing the best answer
More Posts Next page »