Security Protection – Harry Waldron (WP)

As the Yahoo spam filtering did not catch this new incident circulating, this new attack was discovered in my inbox this morning.

However IE 10 shows the malicious URL when hovering link

The social engineering behind these attacks is to create anxiety for the user

If they do not carefully check, they can disclose their user credentials for email or other personal information to unauthorized users.

=========================================================

—– Forwarded Message —– From: Yahoo!(c) Mail Inc <spoofed-email-address>

To: Harry Waldron

Sent: Thursday, May 23, 2013 7:03 PM Subject: **********Validate Your Account**********?

Yahoo has discovered series of illegal attempts on your Account from a bad IP Location and will shut down your account as it has been flagged as a spam account. We are hereby  suspending you account as it has been used for fraudulent purposes.. Click Here <Non-Yahoo-URL-malicious-site> to restore your account.  Thank you for being a loyal Yahoo!  Mail user.Regards,Yahoo!  Account Services

Microsoft Security Essentials is basic and impacts performance less than many products.  Recent product testing rates other AV product performances against the MSE performance base line

http://securitywatch.pcmag.com/security-software/311241-speed-up-pc-performance-by-replacing-microsoft-s-built-in-antivirus

QUOTE: However, you use your computer every day, and the last thing you want is protection that slows down everyday tasks. AV-Comparatives researchers have once again put a collection of popular products to the test, identifying which will let you sail along unhindered and which will put a drag on performance.

The report doesn’t specifically include Microsoft Security Essentials among the products tested. Rather, the researchers took the case of a Windows 7 installation with MSE active as a baseline for comparison. They found that about a third of the products tested impacted performance less than MSE alone, so replacing the default antivirus with one of these would actually speed up your computer!

Antivirus protection needs to get working as early as possible in the boot process, preferably before any malware processes start. On the other hand, engaging full antivirus protection can slow the boot process. Some products resort to putting off full protection in order to minimize impact on boot time. According to the report, some load their services “very late (even minutes later),” so boot-time testing isn’t necessarily relevant.

The report doesn’t include boot-time testing, but AV-Comparatives researchers did perform a spot check to see which products actually load their protection as early as possible. They found that all except AVG, Bitdefender, eScan, Kingsoft, Microsoft, and Sophos delayed full protection to some degree. The others permitted the test malware to launch, and whacked it later on after completing their own initialization. I definitely favor completely preventing malware attack to allowing the attack and then trying to undo the damage.

SCORECARD LINK

http://www.pcmag.com/image_popup/0,1740,iid=377258,00.asp

This article shares the latest developments in monitoring employee activites for security purposes.  It also shares challenges of personal device activity (BYOD) in corporate setting

http://lifeinc.today.com/_news/2013/05/16/18280258-big-brother-may-not-be-watching-but-your-employer-probably-is

QUOTE: The idea of a totalitarian government monitoring your every move is probably still the stuff of fiction, but that doesn’t mean your boss doesn’t have a pretty good idea of your workday habits. Experts say an abundance of fast-developing new technology is making it cheaper and easier for employers to read your e-mails, check out what you’ve been looking at on the Internet, track where you go with a company car or cell phone and find out when and where you were at work.

Of course, employers have good reason to want to know whether employees are stealing corporate secrets, sending out harassing e-mails or just goofing off on the job. But experts say many companies are still trying to figure out a balance between monitoring wrongdoing and just plain snooping.

Employers generally have the right to monitor employee e-mails and other online activity that happens at work, or even on a company cell phone or corporate network, said Lothar Determann, a partner at Baker & McKenzie LLP in Palo Alto, Calif., and author of “Determann’s Field Guide to International Data Privacy Law Compliance.” But they can only do so if they make clear to their employees that workers should have no expectation of privacy.

This “pop quiz” can be taken quickly and shares realistic examples for many of the latest attack scenarios.  While I got almost all items right, I did miss a couple of questions by not reading question thoroughly or not choosing the best answer

http://www.pcmag.com/article2/0,2817,2418514,00.asp

MS13-038 for Internet Explorer is rated as “PATCH NOW” for an exploit circulating in the wild.  All corporate and home users should apply these updates promptly.  Windows, IE, Office, and other products are updated to fix 11 vulnerabilities.

http://technet.microsoft.com/en-us/security/bulletin/ms13-may

https://isc.sans.edu/diary/Microsoft+May+2013+Black+Tuesday+Overview/15791

Corporate and home users should avoid suspicious PDF documents as well as ensuring they use the latest version of PDF software.  For example, Adobe Reader XI (11.0.02) now offers sandbox security controls, protected mode processing, and other security controls not found in earlier versions.

http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-pdfs-on-the-rise/

QUOTE: Throughout 2012, we saw a wide variety of APT campaigns leverage an exploit in Microsoft Word (CVE-2012-0158). This represented a shift, as previously CVE-2010-3333 was the most commonly used Word vulnerability.  While we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640) that was made infamous by the “MiniDuke” campaign. The malware dropped by these malicious PDFs is not associated with MiniDuke, but it is associated with ongoing APT campaigns.

Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal. At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability.  The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158.

Several protective practices are shared as follows:

http://securitywatch.pcmag.com/security/310959-how-to-protect-your-group-twitter-account
�
QUOTE: Several Twitter accounts belonging to the United Kingdom’s Guardian were hit by the Syrian Electronic Army over the weekend, and last week, Associated Press, CBS News, and BBC were also hacked. SEA threatened to keep up its attacks because Twitter keeps suspending its account. Several of the recommendations fall under basic Security 101 and are tips anyone should follow, for both their personal accounts as well as shared ones.

Twitter encouraged users to change passwords and select strong passwords and be on the lookout for suspicious communications or that may be a part of a spear phishing campaign. All organizations, not just media, should be aware of potential phishing attacks. “These incidents appear to be spear phishing attacks that target your corporate email. Promoting individual awareness of these attacks within your organization and following the security guidelines below is vital to preventing abuse of your Twitter accounts,” the memo said.

Since Twitter uses email for password resets and official communications, users need to keep their email accounts secure, first by selecting strong (and different!) passwords. If two-factor authentication is available on the email account, it should be enabled, Twitter suggested. Users should never send passwords via email, even internally, Twitter warned. That way, attackers can’t find the password of the account through someone else’s archived messages.

Initially, saw this as a POC against simulation software and certainly a wakeup call to promote safety.  However, Hugo’s comments are worth noting below … He noted software exploits and vulnerabilities, that with the right delivery system that could be potentially manipulated.   While there are limitations on what can be accomplished, there are many mitigating controls that make this impractical currently.  Still industrial automation and especially remote control systems must be as secure as possible. 

http://commandercat.com/2013/04/posthitb2013.html

QUOTE: After reading some of the news related to my talk at HITB 2013, I am writing this post with the goal of clarifying some misunderstandings, probably due to the lack of time I had during the talk, because I omitted details or other reason. Some of the most common wrong statements I have seen are related to:

• The Android application: No, the Android application I developed cannot attack an airplane by itself. This application is just a user interface that send commands to the base station and receives feedback. Without the base station, and all the other hardware shown on the slides, the application is by itself useless.

• The flight simulator: I did not found the vulnerabilities in the flight simulator; I found all the vulnerabilities on real software and hardware of on-board aircraft systems.

• ACARS exploitation: No, I did not attack ACARS, neither ADS-B. I just used those protocols to send and receive information to/from the aircrafts. Exploits and payloads are delivered using those protocols but I don’t attack them. That would be like saying that an exploit attacks TCP just because it is delivered via the network.

• Real airplanes: No, none of my tools or code can be used directly against real aircrafts. I did and kept it this way on purpose, but the vulnerabilities I found apply to real aircraft systems and code.

• Old hardware: For my research I targeted both old FMS models (dating back from the 70s) as well as some of the newest ones (two or three years old).

• Exploitability: I understand the skeptical community saying “this is not possible because ACARS does not offer commands for doing X or Y”. Once again, I only used ACARS as a communication channel and my research targeted the FMS. So, have you ever heard of memory corruption? Also, when I mentioned “No rootkit” I was referring to the fact that hiding is currently not necessary so it was not implemented, not that the post-exploitation did not include hooking.

A counter-response is noted in this thread, which documents some key safety controls that make the scenario shared very difficult to achieve (and these type comments, led to the points above)

http://www.askthepilot.com/hijacking-via-android/

Intego security notes benefits of outbound protection where malware attempts to connect to the Internet from an infected computer.  By definition, all firewalls offer in-bound protection, and there are additional benefits in detecting and preventing malware from phoning home 

http://www.intego.com/mac-security-blog/whats-the-difference-between-incoming-and-outgoing-firewall-protection/

QUOTE: The other day, we mentioned that the OS X application firewall provides only inbound protection. I imagine there are some of you who are wondering what exactly that entails, and more specifically, how that differs from what’s in Intego’s products. Well, guess no more! Here’s a handy explanation about the difference between incoming and outgoing firewall protection.

As you may imagine, inbound protection protects you from threats that originate outside of your Mac and try to get in. There are many types of automated or direct attacks that this type of protection is useful to combat, and this is the type of protection that OS X’s application firewall provides.

But arguably the more important component, from an anti-malware perspective, is outbound protection. Outbound protection alerts you to attempts to connect out from your machine. There are a lot of legitimate processes on your machine that do need to connect out (such as to get email, surf the web, get or update settings, etc.) but if there is unknown malware on your machine, you want to be able to prevent it from connecting out to send data or to alert its controller.

While there was some initial misreporting, Commercial airlines contain special hardware and software that would prevent a situation as described in article.  With that said, everyone must constantly plan security appropriately in airlines, power plants, automobiles, or other things which could be potentially manipulated from the outside 

http://www.theregister.co.uk/2013/04/13/faa_debunks_android_hijack_claim/

QUOTE: Aviation officials have taken a skeptical view of claims that it’s possible to hijack a commercial aircraft using a smartphone, with both the US Federal Aviation Administration (FAA) and the European Aviation Safety Administration (EASA) issuing statements to the effect that it simply couldn’t happen.  On Wednesday, Spanish security researcher Hugo Teso gave a presentation at the Hack in the Box conference in Amsterdam in which he claimed he had developed an Android app that could allow him take control of an airplane by feeding misinformation into its in-flight communications systems.

“The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer,” the agency wrote, making something of a muddle of the facts. The statement went on to explain that although Teso may have been able to exploit aviation software running on a simulator, as he described in his presentation, the same approach wouldn’t work on software running on certified flight hardware.