Security Protection – Harry Waldron MVP Rotating Header Image

June, 2011:

Microsoft Office 365 – New cloud based version launched

Office 365 is a cloud based implementation of Microsoft’s functional and collaborative Office Suite. It is designed to also interact with mobile devices as well as providing “thin client” capabilities for business PCs.   Below are some key resources: 

Office 365 – Home Page http://www.office365.com/
http://www.microsoft.com/en-us/office365/online-software.aspx

Office 365 – Press release http://www.microsoft.com/Presspass/press/2011/jun11/06-28MSOffice365PR.mspx

Office 365 – Overview http://www.microsoft.com/en-us/office365/what-is-office365.aspx

Microsoft Online Services Trust Center Information http://www.microsoft.com/online/legal/v2/?docid=21&langid=en-us

Office 365 – Articles http://www.marketwatch.com/story/microsoft-launches-cloud-based-office-365-2011-06-28
http://www.eweek.com/c/a/Desktops-and-Notebooks/Microsoft-Launches-Office-365-881968/

Office 365 – Product Reviews http://www.infoworld.com/d/cloud-computing/office-365-vs-google-apps-the-infoworld-review-447
http://www.channelregister.co.uk/2011/06/28/office_365_v_google_apps/
http://www.pcmag.com/article2/0,2817,2383731,00.asp
http://www.guardian.co.uk/technology/2011/jun/28/microsoft-office-365-review

Symantec – Mobile Security Research Report

This 22 page in-depth report evaluates two popular mobile security solutions:

http://blogs.pcmag.com/securitywatch/2011/06/symantec_paper_explores_mobile.php

A Window Into Mobile Device Security (Examining the security approaches employed in Apple’s iOS and Google’s Android) http://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf

QUOTE: The mass-adoption of both consumer and managed mobile devices in the enterprise has increased employee productivity but has also exposed the enterprise to new security risks. The latest mobile platforms were designed with security in mind—both teams of engineers attempted to build security features directly into the operating system to limit attacks from the outset.

However, as the paper discusses, while these security provisions raise the bar, they may be insufficient to protect the enterprise assets that regularly find their way onto devices. Finally, complicating the security picture is the fact that virtually all of today’s mobile devices operate in an ecosystem, much of it not controlled by the enterprise—they connect and synchronize out-of-the-box with third-party cloud services and computers whose security posture is potentially unknown and outside of the enterprise’s control.

Android – Malware turns phone into a proxy relay device

Trend Labs documents a new Android based malware attack where the phone can pass text messages in a stealth like manner from unauthorized users as if it were a “man in the middle”.  Infected users could incur higher future bills for these hidden text messages passing through their phone systems. 

Android – Malware turns phone into a proxy relay device http://blog.trendmicro.com/android-malware-acts-as-an-sms-relay/

QUOTE: I have seen Android malware delete and send SMS messages but this is the first time I saw an Android malware act as an SMS relay. My colleagues and I were recently able to analyze a sample of an Android malware that uses an infected device as a proxy for sending and receiving messages. Unlike most Android-specific threats we have recently seen, this one does not piggyback on legitimate Android apps. Once installed, it displays a blank window for a split second then immediately closes it.

This malware may be used for three particular reasons:

1. First, it can be used to abuse premium services. The malware author can command the backdoor to enroll the infected device in a specified premium service. The user will not have any idea that it has already been enrolled since the malware also deletes the SMS notifications for the said service.

2. Second, it can be used to spy on the targeted device. The malware author can set a specific number. Once an SMS message is received from that number, the SMS body is uploaded to its server.

3. Finally, it can be used as an SMS relay (like a proxy server for SMS messages). The malware author can send and receive SMS messages through the infected device.

The said malware is now detected as AndroidOS_CRUSEWIN.A. Trend Micro also offers protection for users of Android-based mobile devices via Trend Micro™ Mobile Security for Android.

Facebook – Dangers of posting Vacation plans in advance

It is preferrable to share vacation information and photos once you return from vacation, rather than sharing plans in advance.  If you want to share with your closest friends, use email or the phone instead.  While one might feel comfortable in sharing with friends, accounts may not be locked down to prevent access by the general public. Also, computers aid criminals in the 21st century and there are actually some who monitor and look for these situations.

Facebook – Dangers of posting Summer Vacation plans in advance http://webupon.com/social-networks/dangers-of-facebook/

QUOTE: Facebook can be a dangerous place. You have a lot of very personal information on there. It can be a lot of fun but you have to be careful that you are not taken advantage of. Watch who is on your friend list there and how much information you give out. Not everyone is bad or out to hurt you. There are many good people on there.

The danger I am talking about is with spring and summer coming and vacations coming up. Watch how much information you post about going on vacation and leaving your place vacant. Last year there was many break ins. The people were using the information off of Facebook to break into your place.

AllFaceBook.com – Best Practices and Security Information about Facebook

In researching Facebook security issues, I discovered this new resource which shares new developments, best practices and security information

AllFaceBook.com – Best Practices and Security Information about Facebook http://www.allfacebook.com/

QUOTE: AllFacebook.com launched in 2007. AllFacebook.com aims to cover all issues pertaining to Facebook including new applications, general news, and analysis about the future of social media. We also welcome contributions from experts in social media, especially posts that provide advice on how to make the best use of Facebook.

Facebook – Applications creating SPAM shutdown

Facebook has implemented a new enforcement system to shutdown spam posting broadcasts from applications. A number of Facebook applications have been disabled which manipulate member accounts and broadcast to all contacts.

Facebook Shuts A Large Number Of Applications For Spamming http://blogs.pcmag.com/securitywatch/2011/06/facebook_shuts_a_large_number.php

QUOTE:  Many Facebook application developers had their applications terminated by Facebook this week without any clear warning, according to All Facebook. Among those shut are Photo Effect, Social Interview, and Good Reads.

Facebook has, for some time, tried to find and block spam coming from applications to users’ feeds and walls. In recent days, Facebook said in a statement to All Facebook, the amount of spam complaints from users had spiked. In response they turned on a new enforcement system which took user feedback heavily into account. “This resulted in a number of applications with high negative user feedback being disabled or having certain features disabled.” Facebook created an appeal page where developers can plead their case.

Zone Alarm evaluates security for 8 Social Networking sites

Facebook and MySpace were rated as having good security.  However highly locked down settings are required to achieve this.  Users must alter settings beyond original defaults and exercise best practices while connected.  

Zone Alarm evaluates security for 8 Social Networking sites http://blog.zonealarm.com/2011/06/defending-your-privacy-which-social-networking-sites-are-secure.html

QUOTE: Deciding which social networking sites to avoid or use can be a challenge. Discovering what privacy settings they have, or don’t have, can be even more cumbersome. Here, we rank eight of the most popular social networking sites according to their privacy and look at some of the most famous security attacks from 2010.

Web Development – The need to re-engineer insecure content on secure websites

Webmasters should ensure that secure web pages (https) avoid offering mixed content, as standard pages (http) could comprise security.  Browsers are strengthening controls in the newer releases with beneficial warning messages.  IE9 blocks these types of pages by default and the user must then decide whether to override this.

Web Development – The need to re-engineer insecure content on secure websites http://blogs.pcmag.com/securitywatch/2011/06/time_for_secure_web_sites_to_p.php

QUOTE: Recently I noted that Google is strengthening the error messages and other protections in Chrome for when web sites mix HTTP with HTTPS content. I should have gone further. Microsoft is even more aggressive with Internet Explorer 9 and Firefox has some minimal protections. Safari is barely in the SSL game at all.  The trend in browsers is clear. In the past you might have gotten away with mixed content and your users wouldn’t notice, but that won’t be the case for long.

Best Practices – Corporate Termination Policies

Effective policies and standard conventions are always beneficial for an organization.  They are especially required for difficult tasks like employee terminations where emotions may supercede good judgment.  Companies should protect themselves defensively in these situations. In doing so, they also protect the employee from potential liability. 

Best Practices – Corporate Termination Policies
http://isc.sans.org/diary/How+Good+is+your+Employee+Termination+Policy+/11086

QUOTE: It is important to have a policy for limiting access to corporate technical resources after an employee has been terminated. Some basic step include: disabling user account(s), changing or locking all the passwords the former employee had access to, disabling corporate e-mail access and locking down access to their personal workstation.

An email from HR using a pre-configured template to all key stakeholders with a mean of reporting back to HR, confirming the work has been completed, would help prevent this kind of malicious activity. Of course, the account(s) should be monitored to detect potential unauthorized access.

Apple Security Update – June 2011

Please update any of the products noted below to ensure proper protection:

http://isc.sans.org/diary/Apple+Security+Updates+2011-004/11092

http://support.apple.com/kb/HT1222

QUOTE: Apple has released Mac OS X v10.6.8 and Security Update 2011-004 addressing a total of 39 vulnerabilities in OS X 10.5.x and 10.6.x. Note that if OS X 10.7 Lion is released soon

Products Affected

Mac OS X Server 10.6, Mac OS X 10.4, Mac OS X Server 10.4, Mac OS X 10.6, Mac OS X Server 10.5, Mac OS X 10.5, Product Security, AirPort, Apple TV, iPhone, iPhoto, iPod touch, iTunes, QuickTime 7, Safari