Security Protection – Harry Waldron MVP Rotating Header Image

IRS Fraudulent scams – Warnings for 2015 tax returns

Kim Komando features some protective advice in this security alert.  Users should also not respond to any unexpected calls from IRS, as this US Mail still remains the primary means of communication (and they do not contain by email or phone initially)

http://www.komando.com/tips/300138/protect-your-tax-return-from-crooks-and-hackers

In its most basic form, a crook uses your Social Security number to file a bogus tax return in your name, claiming some huge refund. According to the plan, the IRS sends out the refund to the fraudster who gets away scot-free. Or at least that’s the plan. Last summer, a Florida man was sentenced to 10 years in prison for stealing identities and then filing false returns claiming over $13 million in false refunds.

Unfortunately, convictions like this are the exception rather than the rule. Last year, the IRS actually paid out $5.8 billion in refunds that it later realized were actually fraudulent. But those were only the ones it caught. The IRS may never know just how many dollars in fraudulent refunds it has paid and gone undetected. You and other taxpayer victims may not know you’ve been hit until your legitimate return is rejected by the IRS because a crook has already filed using your information.

That’s why I’ve recommended the first step to protecting your tax return is to file as soon as possible. This reduces the window of time a thief has to file on your account. But I understand that’s not always practical for everyone. Perhaps you have a complex tax situation or you are still waiting on paperwork from others. Some people delay filing because they actually owe the government additional tax payments, and they want wait until the last minute to pay up. However, it is perfectly fine to file your return early and still hold off making your payment until the April 15 deadline.

Privacy – RadioShack Bankruptcy and possible sale of Customer Data

While technically bankruptcy courts may see customer data as an asset for sale, this action could be potentially blocked due to privacy concerns.

http://www.bloomberg.com/news/articles/2015-03-24/radioshack-s-bankruptcy-could-give-your-customer-data-to-the-highest-bidder

The phone numbers, e-mail addresses, and shopping habits of more than 100 million customers are part of RadioShack’s bankruptcy auction.  RadioShack’s customers—even those whose most recent purchase came years ago—could also find themselves sold off in the deal. The company included personal data in its bankruptcy auction as its own asset class. A website maintained by Hilco Streambank, which is serving as an intermediary for RadioShack, says that more than 13 million e-mail addresses and 65 million customer names and physical address files are for sale. Hilco Streambank is careful to note that the bankruptcy court might not approve the deals, and there have already been two legal filings in attempts to block the sale of customer data.

The broader challenge, filed last week by Texas Attorney General Ken Paxton, argues that RadioShack made an explicit promise to its customers not to sell their personal data. Paxton claims that 117 million people are included in RadioShack’s customer data sale, which he says offers some details about shopping habits. The filing cites text from a sign displayed in RadioShack stores reading: “We pride ourselves on not selling our private mailing list.” State law in Texas prohibits companies from selling personally identifiable information in a way that violates their own privacy policies. On Monday, Tennessee’s attorney general joined Texas’s objection.

Firefox – Latest Version fixes Pwn2Own and other security issues

The latest Firefox updates fix Pwn2Own and other recently discovered security issues

https://www.mozilla.org/en-US/firefox/36.0.4/releasenotes/

* 36.0.4: Security fixes for issues disclosed at HP Zero Day Initiative’s Pwn2Own contest
* No longer accept insecure RC4 ciphers whenever possible
* Phasing out Certificates with 1024-bit RSA Keys
* 36.0.3: Security fixes for issues disclosed at HP Zero Day Initiative’s Pwn2Own contest

EMAIL SPAM – Added text used to bypass spam filtering

The Internet Storm Center shares interesting and humorous design found in recent mass mailing to bypass SPAM filters where a salad recipe was also present within the spammed email message itself.

https://isc.sans.edu/forums/diary/Interesting+Home+Depot+Spam/19499/

At first glance it looks like yet another run of Home Depot Spam. It isn’t very sophisticated and isn’t likely to fool many.  The usual spelling mistakes and broken English. They didn’t even bother to link in Home Depot’s logo. By the time I received it both of the URLs in the message were dead, so I wasn’t able to measure what its intent was.  What makes it interesting then? If you look very carefully in the orange bar there is text.  That text and the contents of the message contain what seems to be a rather good recipe for lettuce salad:

***********************************
* 1 tablespoons olive oil
* 1 12 tablespoons fresh lemon juice
* 1 tablespoon red wine vinegar
* 2 garlic cloves, minced
* 1 teaspoon dried oregano (Mediterranean is best)

Security Testing – 2015 Pwn2Own Hacking Competition

All browsers were compromised by expert security testers as documented below and users should be lookout for updates in coming weeks as vendors patch these vulnerablities

http://thehackernews.com/2015/03/browser-hacked-pwn2own.html

The Annual Pwn2Own Hacking Competition 2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash. The star of the show was South Korean security researcher Jung Hoon Lee, nicknamed “lokihardt,” who worked alone and nabbed the single highest payout of the competition in the Pwn2Own history, an amazing bounty of $110,000 in just two minutes.

During the second and final day of this year’s hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers.  Sponsored by HP’s Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive:

* 5 bugs in the Windows operating system
* 4 bugs in Internet Explorer 11
* 3 bugs in Mozilla Firefox
* 3 bugs in Adobe Reader
* 3 bugs in Adobe Flash
* 2 bugs in Apple Safari
* 1 bug in Google Chrome
* $557,500 USD bounty paid out to researchers

POS Malware – PoSeidon exports credit card data externally to attackers

This new malware attack is starting to circulate.  It features a new capability to export data externally, so that attackers no longer need to log in locally to retrieve compromised credit card details

http://blogs.cisco.com/security/talos/POSeidon

http://www.computerworld.com/article/2900310/new-malware-program-poseidon-targets-pointofsale-systems.html

Retailers beware: A new Trojan program targets point-of-sale (PoS) terminals, stealing payment card data that can then be abused by cybercriminals.  The new malware program has been dubbed PoSeidon by researchers from Cisco’s Security Solutions (CSS) team and, like most point-of-sale Trojans, it scans the RAM of infected terminals for unencrypted strings that match credit card information — a technique known as memory scraping.

This sensitive information is available in plain text in the memory of a PoS system while it’s being processed by the specialized merchant software running on the terminal. Security experts have long called for the use of end-to-end encryption technology to protect payment card data from the card reader all the way to the payment service provider, but the number of systems with this capability remains low.

Unlike other PoS memory scrapers that store captured payment card data locally until attackers log in to download it, PoSeidon communicates directly with external servers and can update itself automatically. It also has defenses against reverse engineering. “PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” the CSS researchers said. “As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families.”

Smart Device Security – March 2015 Symantec research study

In an evaluation of 50 smart home based devices, this Symantec research report reveals a number of gaps in security that must be improved upon in future.

http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/insecurity-in-the-internet-of-things.pdf

The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance available. However, despite its increasing acceptance by consumers, recent studies of IoT devices seem to agree that “security” is not a word that gets associated with this category of devices, leaving consumers potentially exposed.

To find out for ourselves how IoT devices fare when it comes to security, we analyzed 50 smart home devices that are available today. We found that none of the devices enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Almost two out of ten of the mobile apps used to control the tested IoT devices did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities.

All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices. IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyberattacks.

 

HIGH-LEVEL SUMMARY OF KEY FINDINGS

1. Weak authentication –  None of the devices used mutual authentication or enforced strong passwords

2. Web vulnerabilities – We found and reported ten vulnerabilities related to path traversal, unrestricted file uploading (remote code execution), remote file inclusion (RFI), and SQL injection.

3. Local attack vulnerabilities – Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices.

4. Potential for future attacks — Currently, most proposed IoT attacks are proof-of-concepts and have yet to generate any profit for attackers. This doesn’t mean that attackers won’t target IoT devices in the future when the technology becomes more mainstream.

Windows XP – Migration Considerations for Windows 7 or 8

Both Windows 7 and 8 provide advantages in terms of support, reliability, performance and improved security as noted below:

http://images.globalknowledge.com/wwwimages/whitepaperpdf/WP_MS_WhichWindows.pdf

This “Crossroads for Windows XP Users: Windows 7 or Windows 8?” white paper is sponsored by Global Knowledge.  It explores the pros and cons of each option – including your options for staying with XP.  The choices are basically to gut it out with XP for some period of time; transition to Windows 7 with the plan of skipping Windows 8; or transition to Windows 8 and wait and see what Windows 10 brings

Penetration Testing – Wi-Fi security strength assessment tools

This article shares Penetration Testing techniques and tools for Wi-Fi networks to assess security controls for the router and wireless protocols being used.

http://www.pcmag.com/article2/0,2817,2477437,00.asp

How to Hack Wi-Fi PasswordsYour intensions when cracking a Wi-Fi password are no doubt noble—we trust you—so here’s how to do it    Once you’re asked for a username/password, what do you do? Check your manual. Which you probably lost or threw away. So instead, go to RouterPasswords.com. The site exists for one reason: to tell people the default username/password on just about every router ever created.

Or, create a system just for this kind of thing, maybe dual-boot into a separate operating system that can do what’s called “penetration testing”—a form of offensive approach security, where you examine a network for any and all possible paths of breach.  Kali Linux is a Linux distribution built for just that purpose. You can run Kali Linux off a CD or USB key without even installing it to the hard drive.

Aircrack has been around for years.  It goes back to when Wi-Fi security was only based on WEP (Wired Equivalent Privacy).  WEP was weak even back in the day, and was supplanted in 2004 by WPA (Wi-Fi Protected Access).  The latest Aircrack-ng 1.2—labeled as a “set of tools for auditing wireless networks,” so it should be part of any network admin’s toolkit—will take on cracking WEP and WPA-PSK keys.

Cracking stronger WPA/WPA2 passwords and passphrases is the real trick these days. Reaver is the one tool that looks to be up to the task (and it’s part of the BackTrack Linux distro). You’ll need that command-line comfort again to work with it, or you’ll have to spend $65 for Reaver Pro, a hardware device that works with Windows and Mac. After two to 10 hours of trying brute force attacks, Reaver should be able to reveal a password… but it’s only going to work if the router you’re going after has both a strong signal and WPS (Wi-Fi Protected Setup) turned on.

Network Security – ISC and Microsoft document PtH attacks

The Internet Storm Center features a well-written awareness document for PtH attacks. Microsoft also has a centralized high-level resource that shares awareness & mitigating controls for this popular hacking attack to gain unauthorized access into vulnerable systems.

https://isc.sans.edu/forums/diary/Pass+the+hash/19479/

http://www.microsoft.com/pth

Passing the hash is a form of login credential theft that is quite prevalent. In it, an attacker captures the encoded session password (the “hash”) from one computer, and then re-uses it to illicitly access another computer. On (most configurations of) the Microsoft Windows operating system, this “hash” can be used as an equivalent stand-in for the original password, hence if an attacker obtains the “hash” of a privileged account, this has the exact same immediate consequences as when the attacker had gotten his hands on the password of same account.

One pre-requisite for PtH to work is that the attacker must obtain local administrator privileges on at least one computer in your organization. So, if you are still generously letting your users work and surf the web as “admin”, here’s one more reason to stop that. Another particularity of PtH is that whenever a higher privileged administrator logs on to a lower privileged device, he/she creates a privilege escalation opportunity for whoever controls that lower device. If you have some type of admin privileges in your windows AD domain, think about when you “RDP” into other devices to “check something out” or “fix something”. Doing so places your “hash” onto that device, and the hash can be harvested by someone with admin rights on that device, and re-used to impersonate you for as long as you do not change your associated password.

Sounds bad? Yup. Potentially, it is. Because what seems to be happening quite frequently is that attackers breach one single user workstation (through malware in drive-by web or email based attacks). Then, the attackers try to get admin privileges on that workstation. If the user already has local admin privs, they won, if not, they need to find some local exploit (missing patch, weak password, etc).  Once they ARE local admin, they extract all “hashes” that they can find locally on that workstation. With a bit of luck, some IT Helpdesk person who has admin privileges across ALL workstations in the firm had recently connected to that particular PC, and “left the hash” behind. Thus, the attacker ends up with admin privs across all workstations. Next step, find the workstation of a server or domain administrator, and hope to locate an even more privileged hash on there. If found: game over.  All of this can be and has been automated, and can happen in a matter of minutes.