Security Protection – Harry Waldron MVP Rotating Header Image

August, 2012:

STIG Guidelines – Framework 4 Hardening standards

The following provides DOD guidelines for locking down the Framework 4 environment

http://iase.disa.mil/stigs/app_security/app_services/app_serv.html

QUOTE: The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations (FSO) has played a critical role enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack. DISA FSO is in the process of moving the STIGs towards the use of the NIST Security Content Automation Protocol (S-CAP) in order to be able to “automate” compliance reporting of the STIGs.

Complete list of standards

http://iase.disa.mil/stigs/a-z.html

Facebook – German consumer group expresses privacy concerns

Germany has some of the strictest privacy laws in the world.  Below is a recent development concerning Facebook

http://facecrooks.com/Internet-Safety-Privacy/german-consumer-group-gives-facebook-privacy-ultimatum.html

QUOTE: The Federation of German Consumer Organizations, a German consumer lobbying group, said on Monday that Facebook is giving away users’ information in its new App Center centre without first notifying them. The Federation gave Facebook a one-week ultimatum, until September 4, to comply with Germany’s rigid privacy laws and stop giving away users information to third-party apps or face legal action.

The Germans, having had a few run-ins with security and privacy issues in their past, have some of the strictest privacy laws in Europe, especially when it comes to data and information. However, they are by no means the first country to take a stand against Facebook. Norway and Ireland are also currently investigating the site to see if it violates any laws in their respective countries.

In the wake of the site’s historic public trading, the pressure has been building on Facebook to face up to its own privacy issues and become the responsible company it’s supposed to be. However, the site is all too often slow to respond to complaints and accusations, leading to damaging story after damaging story. Of course, being investigated by several foreign governments at once is never a good thing, either.

Best Practices – Protecting the College Laptop

Some good basic tips for protecting students entering college this fall:

http://www.securitynewsdaily.com/2174-harden-college-laptop.html

QUOTE: However, before a laptop heads to college, there are steps that parents and students can take to ensure its safety.  First, parents should make sure there is anti-virus software installed on the machine, whether it’s a PC or a Mac.

Often a new computer will come with a free anti-virus trial period, which can be extended for a fee. It’s also important to make sure that all software on the computer is updated, or has automatic updates turned on. “If you have [a] system updated, but an old application that’s vulnerable, you’re hosed,” said Andy Willingham, an Internet security expert and blogger in Cincinnati.

Johnson also recommends using the NoScript add-on for the Mozilla Firefox Web browser. This free solution helps block drive-by downloads and generally offers more online security.  Another big issue for college kids is to be aware of the information that is shared when they log into social-media sites, Willingham said.

“Just be really careful that you are using different passwords for different sites,” he said.  That way, online criminals and identity thieves who’ve gotten ahold of one password can’t steal information from other sites.  Willingham also advises students not to access financial sites from public Wi-Fi networks, and to ask their schools if secured networks are available on campus.

“The last thing is to simply be vigilant,” Johnson said.

Windows 8 – Firefox browser version in development

Next month, a new preview version of Firefox should emerge which uses the new Windows 8 UI

http://www.digitaltrends.com/computing/firefox-metro-browser-september/

QUOTE: Mozilla will release a preview of Firefox for Windows 8 in September, complete with Modern UI styling and windowless Flash. Mozilla already announced plans earlier in the year to offer a Modern UI (formerly known as Metro) version of its popular browser, but now new details are beginning to emerge, including a few carefully placed screenshots like the one above.

Brian R. Bondy, a developer working on the project, posted an update to his blog outlining Mozilla’s progress and goals for the fall release. “Work on the Metro style enabled desktop browser has progressed steadily and things are looking really good,” Bondy writes. According to Bondy, a preview version of Firefox will be available first as a beta release, planned for later in the year. The preview will be styled as a “combined classic + metro browser” with classic desktop user interface elements for tabbed browsing and navigation.

More details can be found here:

https://wiki.mozilla.org/Firefox/Windows_8_Integration

 

JAVA – Some unpatched vulnerabilities remain after out-of-band update

Yesterday’s patch released was beneficial for active malicious threats that are circulating for the recent zero day attacks. However, not all issues are fully resolved and developments should be closely watched for any emerging threats that may materialize.

http://news.softpedia.com/news/Java-Users-Still-Not-Safe-Experts-Report-New-Vulnerability-to-Oracle-Exclusive-289249.shtml

QUOTE: Researchers from Polish firm Security Explorations – the ones who were the first to report the vulnerabilities which led to the now-infamous Java zero-day – have just reported another similar bug to Oracle. This means that Java users are still exposed, even if they’ve applied the patch released by the company.  “The out-of-band patch released by Oracle yesterday, among other things fixed the exploitation vector with the use of SunToolkit class, the one we used in our proof of concept codes. This made many of them not working…Till today,” Adam Gowdiak, founder and CEO of Security Explorations, told Softpedia via email.

When combined with some of the Apr 2012 issues, the new issue (number 32) reported to Oracle today allows to achieve a complete JVM sandbox bypass in the environment of latest Java SE 7 Update 7 (version that was released on Aug 30, 2012).  “What this means is that Java 7 users are still at risk from being exploited and the issues we reported to Oracle need to be addressed,” he added.

Apple Mac Security – OSX/Tsunami Variant dropped by Java Zero Day attack

The new Zero Day JAVA exploits were patched yesterday by Oracle.  A new variant of the OSX Tsunami malware agent may be compromising security protection.  It is important to patch all platforms.

http://www.intego.com/mac-security-blog/osxtsunami-variant-found-dropped-by-java-0-day/

QUOTE: A variant of OSX/Tsunami has been found that is rumored to be dropped as a drive-by-download by the new Java 0-day exploit, CVE-2012-4681. This method of infection has not yet been confirmed, but as this OSX malware connects out to the same IP address as the Windows backdoors known to be dropped by CVE-2012-4681, it seems they are at least related incidents. At the time of writing, the JAR file that was purported to be dropping this Trojan has been replaced with a bit of threatening text

Best Practices – Strong Secret Questions for password resets

Security awareness is shared regarding password reset mechanisms that used by many websites.  It’s always best to select “Other” and compose a question that only you know the answer to.

http://securitywatch.pcmag.com/web-services/301737-select-strong-secret-questions-to-protect-accounts

http://www.intego.com/mac-security-blog/your-secret-question-may-not-be-so-secret-easy-to-guess-password-retrieval-questions-you-should-avoid-and-why/

QUOTE: Attackers aren’t always brute-forcing passwords to compromise accounts. Sometimes, it just as simple as looking at the password reset questions. By now, you should be aware that you need to be selecting long and complex passwords to protect your accounts. You also know that passwords should be unique and never reused among different sites.

But are you being careful about the password recovery question?  Also called secret questions, these questions help Websites determine users are who they say they are in case the password is ever misplaced or the account locked. Users generally select one from a drop-down list and provide an answer, presumably one that only they know.

Questions should have the following traits, according to Myers: * It should be applicable and pertain to your life events. * It should be definitive and be one answer that does not change, even over time. * It should be memorable and easy to remember. * It should be secure so that it’s difficult to guess, find the answer online, and long enough to act as a passphrase.

Blackberry – Fake Account activation email circulating

Blackberry users should exercise caution with email as noted in this warning:

http://securitywatch.pcmag.com/none/301904-fake-blackberry-id-emails-spread-malware

QUOTE: Have a BlackBerry? Watch out for a new malware campaign that masquerades as a legitimate account activation mail, Websense researchers warned. The latest malware is spreading and infecting networks using fake emails that inform recipients their BlackBerry ID has been created, researchers from Websense ThreatSeeker Network said. The text of the email is the same as the legitimate BlackBerry account creation notices sent by Research in Motion to new users. It’s the attachment that is dangerous. Users are encouraged to download the malicious file and run the attachment. Attackers are then able to drop other malicious files and modify the system Registry, making it automatically run malware programs whenever the system starts.

JAVA – emergency patch for ZERO DAY attacks released

These critical updates should be applied expediently, as attacks are actively circulating




QUOTE: A short while ago, Oracle released updates for both Java 6 and Java 7 in response to the critical 0-Day vulnerabilities discussed earlier this week, as well as two other security issues. US-CERT has reported that applying Java 7 update 7 will solve the security issues as discussed at




More information is available at


Facebook Privacy – California bill to restrict employer access

As some employers are demanding access to employee facebook accounts, California joins a couple of other states in curtailing this invasion of personal privacy.

http://facecrooks.com/Internet-Safety-Privacy/california-working-to-ban-employers-access-to-employee-facebook-accounts.html

QUOTE: Earlier this week, the California state senate voted unanimously for a bill preventing employers from demanding access to their employees’ Facebook profiles. It is the latest such move by states looking to prevent privacy rights; similar legislation passed in Maryland and Illinois earlier this year.

However, a provision was written into that California bill that would allow employers access to their employees’ accounts to investigate allegations of misconduct or employee violations. As U.S. states continue to act on this issue, there are questions on the federal level about regulating password access everywhere.

Several officials believe that such demands may already violate federal law. “In an age where more and more of our personal information–and our private social interactions–are online, it is vital that all individuals be allowed to determine for themselves what personal information they want to make public and protect personal information from their would-be employers,” Sen. Chuck Schumer said in a statement to the Associated Press. “This is especially important during the job-seeking process, when all the power is on one side of the fence.”