Security Protection – Harry Waldron MVP Rotating Header Image

September, 2012:

Windows 8 – New Security Features

http://www.securitynewsdaily.com/2320-windows-8-security-features.html


QUOTE: When Microsoft’s new operating system, Windows 8, hits the market on Oct. 26, it will be chock-full of new and enhanced features aimed at giving users more security than ever before. “There are quite a few security improvements,” said Roel Schouwenberg, a senior researcher in the Boston-area office of Russian anti-virus firm Kaspersky Lab. “It all starts at the boot level, with Windows 8 offering the ability to do a secure boot.”

Internet Storm Center – Security Glossary

Good resource for security professionals

https://isc.sans.edu/glossary.html

 

 

Mobile Security – Growing Problem of Adware

Trend Labs shares an informative update related to adware risks for mobile phones

http://blog.trendmicro.com/trendlabs-security-intelligence/the-growing-problem-of-mobile-adware/

QUOTE: Despite offering impressive resolutions and more advanced features, users are more concerned with their devices’ battery life. Though manufacturers are poised to offer devices with longer battery life, certain trends such 4G/LTE potentially offsets battery enhancements. Usage certain apps and ads were also found to be power-hungry activities. In particular, ads displayed on mobile devices were also found to consume 65-75 percent of energy in free apps, as per a Purdue University and Microsoft study.  In August, we saw an increase of adware in Android applications. While these apps can have malicious routines like collecting user’s personal information, they also pose risks to battery life.

MORE INFORMATION HERE    The Growing Problems of Mobile Adware

Facebook – Search History will be kept in Activity Log

While only the individual user can see this, sharing your password or hackers compromising an account could create some privacy concerns.

http://facecrooks.com/Internet-Safety-Privacy/your-activity-log-will-now-show-facebook-search-history.html

http://newsroom.fb.com/News/An-Update-to-Activity-Log-1bc.aspx

QUOTE: Facebook announced yesterday that they will now be adding user search history to their Activity Log. The Activity Log was released along with Timeline late last year and is a useful tool that allows you to quickly review and manage your Facebook activity.  Quite a few bloggers have posted some sensational headlines about this new feature. First off, only you can see your Activity Log. Unless you let other people access your Facebook account you really don’t have anything to worry about. If your account is hacked, you probably have bigger problems than a hacker viewing your search history

Facebook – Post-by-email vulnerability may let unauthorized users post

The Next Web warns on a new vulnerability that may allow unwanted posts by email:

http://thenextweb.com/facebook/2012/09/26/security-flaw-lets-hacker-post-facebook-group/

QUOTE: Three Facebook users, Hasin Hayder, Rifat Nabi, and Abu Ashraf Masnun, have discovered a security hole in the social network that could lead to a potentially big privacy problem. The “post-by-email” feature in Facebook Groups reportedly lets an attacker post photos or plain text posts as anyone that is a member of a given group. There are a few requirements, however, if I wanted to spoof you: I would need a local SMTP server (or a server side script) and I would need to know the email address connected to your Facebook account.

Here is how it works. The attacker just has to compose a new email, change the “From:” field in the mail header and replace it with the victim’s email address, and then send the email to the group email address. The exploit works because Facebook does not employ a verification system to check who the email is coming from (according to the trio); the service simply believes the victim is sending the email and posts it as that Facebook user to the group’s Wall on the victim’s behalf. I find that unlikely, but it worked for them.

HomeSecurity.org – Beneficial tips for complete protection

This site recently discovered reaches out to the general public in an easy-to-understand approach

http://www.homesecurity.org/

Some of the following protective topis are covered:

* Alarm Price

* Security Systems

* Alarm Monitoring Options

* Alarms

* Security Cameras

* Computer Security

* Fire Safety Security

* Safes

* Home Security Checklists

* Security Devices

 

Facebooks New Gift Service – Security Warning

Facecrooks security warns of potential dangers when combining a social networking environment with e-commerence capabilities. Folks desiring to use the new service should exercise the utmost caution and look out for fake sites, phishing scams, malware attacks, and other threats.

http://facecrooks.com/Internet-Safety-Privacy/be-careful-of-facebookers-bearing-gifts.html

QUOTE: On Thursday, the social networking giant launched Facebook Gifts – a new social gifting service that allows users to purchase real gifts for their friends, have them shipped and have a preview of the gift pop up on their Timeline. Facebook will even give users the choice to send a gift in the “birthday reminders” section on the right hand side of the page. Investors are salivating over the monetization possibilities, as just a minute amount of adaptation could result in a windfall of cash for Facebook. However, this feature has already raised some serious privacy concerns.

The amount of private data users are sharing on social networking sites already exceeds all security precautions,” said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, to PC World Australia. “Making it so much easier for the user to add a number of addresses they can receive parcels at (including probably work or school addresses) would make it even easier for real-life criminals to gather information about a potential victim…the new information that might be shared by users is particularly dangerous in the case of account compromise.” Experts also caution that hackers and spyware creators could take advantage of people’s natural curiosity about gifts to exploit them.

CD Technology – 30 year anniversary

Sony released this technology in OCT 1982 as documented in this article.  A few years later, this showed up in computer technology to be later replaced with DVD drives.

http://www.nbcnews.com/technology/gadgetbox/30-years-ago-cd-started-digital-music-revolution-6167906

QUOTE: The digital music revolution officially hit 30 years ago, on Oct. 1, 1982. While you may be surprised to learn that the heralds of the coming age were, in fact, the Bee Gees, it probably comes as less of a shock to learn that Sony was at the very heart of it. After years of research and an intense period of collaboration with Philips, Sony shipped the world’s first CD player, the CDP-101. Music — and how we listen to it — would never be the same.

GPS Technology – Don’t rely on it completely

GPS technology is a great tool and is highly accurate in most cases.  Still, one should not rely completely on this service will real maps or facilities as noted in the artile.

http://www.nbcnews.com/technology/technolog/why-i-never-trust-gps-maps-completely-you-shouldnt-either-6143202#/technology/technolog/why-i-never-trust-gps-maps-completely-you-shouldnt-either-6143202

QUOTE: But GPS only tells you where you are in latitude and longitude — building the visual maps that need to be placed under those pinpoints is a challenging multi-billion-dollar endeavor. Even Google — which stood on the shoulders of mapmakers such as TomTom-owned Tele Atlas and Nokia-owned Navteq when building its remarkable geographical database — can get it wrong every so often.

Android Mobile Security – Dirty USSD reset exploit

Further confirmation received that all Android devices may be affected where carriers or vendors have not yet provided patches.  An update is noted below:

http://securitywatch.pcmag.com/none/303186-my-android-device-is-vulnerable-to-a-dirty-ussd-hack-now-what

QUOTE: It turns out that the “Dirty USSD” exploit demonstrated yesterday on Samsung devices affects all Android devices running anything below Android 4.1.x aka Jelly Bean. Just to recap, the exploit (disclosed by researcher Ravi Borgaonkar at Ekoparty in Buenes Aires) uses the Android dialer to automatically “call” a USSD code (no user permission required!); the code can be spread through  legit-looking URL, an NFC attack, or a malicious QR code.  The most threatening USSD code, a factory reset, was specific to Samsung TouchWiz phones and has already been disabled by Samsung. However, there are many other USSD codes that work on different Android devices, though viaForensics’s Ted Eull said they aren’t so easy to find.

If you bought your device from a carrier, you are probably still vulnerable to this exploit. Unfortunately there’s not much you can do since the only entity that can update your OS is your carrier, which isn’t exactly known for timely patching (hello Android fragmentation). But all is not lost! Here are a few things you can do right now.

1. First, check if your Android phone is even vulnerable with a simple test Borgaonkar made. Click here from your phone’s browser. If you can see your IMEI, Borgaonkar advises, tongue in cheek, to disconnect from the Internet.

2. Use an alternative Android dialer, which will stop the automatic execution of any USSD code. Dialer One and exDialer are free, easy to use, and can be found in Google Play. After you install your new dialer, go to your browser and click this link (a website with an innocuous USSD code) and you’ll be prompted to complete the action with your stock Android phone, or with the dialer you just installed. Click the latter by default.

3. If you’re interested in learning more about how Android fragmentation affects device security, install X-Ray, a DARPA-funded security app from Duo Security. X-Ray simply checks which version of Android you’re running and lists all known privilege escalation vulnerabilities. Most of the vulnerabilities it detects can be exploited by a malicious app without asking for any special permissions. At the end, X-Ray shows you how to appeal to your carrier to release a prompt, OTA update.