Security Protection – Harry Waldron MVP Rotating Header Image

December, 2012:

Mozilla Foundation – New Security Initiative for 2013

While Mozilla Firefox and other products have been implemented with good security controls throughout the years, major improvement programs are planned for coming year:

https://blog.mozilla.org/security/2012/12/20/rebooting-security-engagement-at-mozilla/

QUOTE: We recently announced a reboot of our efforts to engage with security contributors at Mozilla. Today our strongest and most lasting contributor relationships are with individuals searching for bug bounties. While this program has been very successful, this model sets up a relationship where the only tangible contribution is a bug that may or may not result in a bounty. Instead we want to encourage growth in knowledge from those willing to learn, the creation of open source tools for security work and recognize the natural asymmetric challenges of an open source project that competes with closed source offerings. Three new areas of focus in 2013:

1. Contributor & Security Contributor

2. Security Champions

3. Security Mentors

Facebook Scam – Four Free Christmas Disneyland tickets

Facecrooks Security note this new Facebook scam offering of free Disney tickets:

http://facecrooks.com/Scam-Watch/Get-4-FREE-Disneyland-Tickets-Merry-Christmas-Facebook-Scam.html

Scam Message: Get 4 FREE Disneyland Tickets (Merry Christmas)

Scam Type: Survey Scam / Bogus Offer T

rending: December 2012

Why it’s a Scam: Clicking the wall post link takes you to the following page.  Step 1 requires you to share a message to your Facebook profile. This is how the scam is spreading so quickly on Facebook. Think before you click, so you aren’t willingly spreading scams and spam messages to your friends. Step 2 requires you to comment on the  page, and step 3 requires you to like the scam page. All three of these actions are designed to spread this scam virally across Facebook. Look at how successful the ruse is – almost 6.5 million likes so far

Microsoft Internet Explorer older versions – Security Advisory 2794220

This new warning encourages users to avoid key targeted attacks in progress affecting older versions of their browser.  Key Microsoft resources for Microsoft Advisory 2794220 are noted below:

http://technet.microsoft.com/en-us/security/advisory/2794220

http://blogs.technet.com/b/msrc/archive/2012/12/29/microsoft-releases-security-advisory-2794220.aspx

http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx

QUOTE: In this particular vulnerability, IE attempts to reference and use an object that had previously been freed. The components of an exploit for such a vulnerability are typically the following:

*  Javascript to trigger the Internet Explorer vulnerability

*  Heap spray or similar memory preparation to ensure the memory being accessed after it has been freed is useful

*  A way around the ASLR platform-level mitigation

*  A way around the DEP platform-level mitigation We’ve analyzed four exploits, all the targeted attacks we have seen.

They are all very similar:

*  Obfuscated Javascript to trigger the vulnerability

*  Flash ActionScript-based heap spray

*  ASLR bypass using either Java6 MSVCR71.DLL or Office 2007/2010 hxds.dll

*  DEP bypass via chain of ROP gadgets (different ones depending on ASLR bypass)

Malware – Targeted Attack Predictions for 2013

Trend Labs forecasts more targeted attacks are anticipated in 2013

http://blog.trendmicro.com/trendlabs-security-intelligence/what-kind-of-targeted-attacks-will-we-see-in-2013/

QUOTE: In his 2013 predictions, our CTO Raimund Genes predicts that there will be increasing sophistication in malware attacks, not necessarily in the technical aspects of the malware itself but in the deployment of an attack. Moreover, he believes that such attacks will increasingly have a destructive capacity and that it will be challenging to determine attribution. Building on these points, I predict the following trends for 2013:

* There will be an increasing specificity in targeted attacks, especially as knowledge of some of the noisier APT campaigns is increasingly publicized.

* While we are used to targeted attacks that are motivated by espionage, 2013 will see a rise in attacks with a destructive capacity.

* In 2013, there will be an increasing recognition that social, political and economic indicators must be used in conjunction with technical indicators to fully assess and analyze targeted attacks.

Corporate Security – Holiday Attacks are a concern

With limited staff in place, targeted attacks during the holidays are a concern for enterprise security

http://securitywatch.pcmag.com/none/306309-businesses-worry-about-christmas-day-attacks

QUOTE:  Are businesses more susceptible to attack over major holidays? With so many organizations running skeleton crews as employees take time off to be with their friends and families, many people seem to think so.  In an online survey of 270 security and IT professionals, about 57 percent said their companies may be more vulnerable to security attacks during major holidays such as Christmas or New Year’s. Breaking down by job function found that 61 percent of security professionals were concerned, compared to 54 percent of business stakeholders. The survey, which was conducted between Nov. 8 and Nov. 19, was commissioned by nCircle and conducted by Dimensional Research.

While it’s hard to tell if there are more Web attacks, such as denial of service, hacked Web applications, or network breaches, during major holidays (since criminals also like to celebrate the holidays too), there are more malware and malicious e-mail based attacks during this period. Cyber-criminals like to craft their phishing and spam campaigns that are specific to the holiday to increase the likelihood of the recipient falling for the scam.   In a recent interview with SecurityWatch, former New York City MayorRudy Giuliani called the holidays a “gold mine for identity theft.

Malware Win32/Gapz – New Bootkit Technique

ESET Security highlights a new bootkit called Gapz, which uses sophisticated techniques to infect and hide in vulnerable systems:

http://blog.eset.com/2012/12/27/win32gapz-new-bootkit-technique

QUOTE: This new bootkit technique allows the malware to execute its code before the OS loader receives control, using only a few modifications to the VBR (highlighted as “BIOS Parameter Block modification” in the figure above). This brand new technology was seen for the first time in the latest modification of the Win32/Gapz bootkit. (You can read about its sophisticated dropper in a recently published blog   The latest modification of the Win32/Gapz bootkit infects the VBR of the active partition. What is remarkable about this technique is that only a few bytes of the original VBR are affected. This makes the threat stealthier. The essence of this approach is that Win32/Gapz modifies the “Hidden Sectors” field of the VBR while all the other data and code of the VBR and IPL remain untouched.

Mobile Phone Security – Malware symptoms and prevention techniques

Malware symptoms and prevention techniques are shared below:

https://blog.lookout.com/blog/2012/12/27/if-your-phone-is-hacked/

QUOTE: Here are a few questions to ask yourself to identify if your device is being overrun by malware:

1. Notice unfamiliar charges on your phone bill? 2. Is your phone acting crazy? If your phone starts acting crazy, strangely opening and closing apps, or sending text messages by itself, your phone might be compromised. 3. Is your battery draining extremely fast? Battery drain can be because malware apps can run constantly in the background, it is inevitable that they will run down your battery much faster than normal.

Keeping your phone safe from malware is easy if you take the right precautions when downloading apps. Follow these simple tips to keep your mobile experiences safe and sound: 1. Keep the software on your device up to date. 2. Be careful around third-party app stores. 3. Be careful where you click. Some malware comes embedded in drive-by-download website links that automatically download a malicious app to your device without your prior approval. 4. Download a mobile security app to protect you. Downloading a security app, like Lookout, that has app and link scanning capabilities will help you be safer and better protected on your mobile device.

Hidden Fine Print in Contracts or EULAs may favor consumers

As a contract between two parties must be fully understood, the article notes that deceptive fine print may be less apt to stand up in court in the future.

http://redtape.nbcnews.com/_news/2012/12/21/16048353-annoying-fine-print-may-not-even-be-legal

QUOTE; Consumers hate fine print, but emotions rarely carry the day in courtrooms. So corporations have been having a field day with barely readable terms and conditions for some time. In fact, fine-print writers have been emboldened by a recent Supreme Court decision in which the court took their side. But in a new book titled “Boilerplate,” author and lawyer Margaret Jane Radin is taking aim at the intellectual and legal basis of fine print, trying to put a serious dent in the legal argument behind it.  “I don’t think there’s a contract, ever, when something is just dropped on us,” Radin said, “especially when there is no option to vote with your feet as a consumer, when there are no alternatives.”

Radin’s point is that contracts, by definition, involve two equal parties that negotiate terms, while fine print is issued on a “take-it-or-leave-it” basis. (Just try to negotiate a lower early termination fee or strike out any clause when you sign a cellphone agreement.)  In layman’s terms, fine print is merely a list of bad things that can happen to you, the consumer. You might get hit with a penalty fee; your service might be terminated; your right to join a class-action lawsuit is surrendered

Privacy – Many firms sell collected data

This article shares an awareness to keep high standards in safeguarding privacy at every website you are a member of (e.g., Facebook, Twitter, email, etc.)

http://redtape.nbcnews.com/_news/2012/12/19/16023208-angry-with-instagram-these-invisible-data-brokers-sell-your-privacy-every-day

QUOTE: Instagram’s abrupt change of terms this week created a predictable Internet chatter bomb, as Web users erupted in anger that the firm might violate their privacy and property rights. Sadly, there is no such outrage at companies which buy and sell our privacy as their business model — and much less interest in promising efforts to rein them in.

What do they know about you and when did they buy it? The Federal Trade Commission this week joined a series of other agencies, groups, and elected officials now banging on the door of the nation’s largest data collection firms, demanding to know just how much of U.S. consumers’ lives are tracked by these firms. Firms you’ve probably never heard of with names like Axciom, Intellius, Datalogix, and RapLeaf acquire, store, and sell hundreds of pieces of information about you to voracious marketers hungry for an advertising edge.  On Tuesday, the Federal Trade Commission announced it had opened an inquiry into the business practices of those four firm and five others like them.

“Many data brokerage companies are engaging in business practices without consumer knowledge or consent — including the collection, use, and sale of personal information about the American public,” said Rep. Ed Markey, D-Massachusetts, in a statement supporting the FTC’s action.

New Smart Phone Saftey Tips

For those receiving a new phone during Christmas and holiday season, some great safety tips are found in this link:

http://securitywatch.pcmag.com/none/306312-got-a-new-phone-for-christmas-don-t-forget-these-safety-tips

Summary of key security guidelines and excellent link below:

1. The Mobile Device is a Computer

2. Stick with Official Channels

3. Stick with Secure Networks

4. Slow and Steady With the Apps

5. Use FCC Checklist below as guide

EXCELLENT LIST BELOW:

http://www.fcc.gov/smartphone-security