Security Protection – Harry Waldron MVP Rotating Header Image

January, 2013:

Microsoft Office 2013 – Release Information

Microsoft Office 2013 has just been released to general public.  Several links are noted below:

OFFICE 2013 – HOME PAGE & PRODUCTS PAGE

http://office.microsoft.com/en-us/

http://office.microsoft.com/en-us/products/

OFFICE 2013 – SECURITY IMPROVEMENTS

http://technet.microsoft.com/en-us/library/cc179050.aspx

http://www.infoworld.com/t/office-software/office-2013-shifts-security-focus-devices-identities-198196

OFFICE 2013 – NEW OFFICE 365 HOME PREMIUM OFFERING

http://office.microsoft.com/en-us/buy-microsoft-office-and-microsoft-office-365-online-FX102886268.aspx

 

OFFICE 2013 – CORPORATE VERSION

http://office.microsoft.com/en-us/professional-plus/

OFFICE 2013 – FAQ

http://office.microsoft.com/en-us/products/office-frequently-asked-questions-FX102926087.aspx

OFFICE 2013 – EARLY PRODUCT REVIEWS

http://www.techrepublic.com/blog/window-on-windows/microsoft-office-2013-is-now-available/7193

http://www.itpro.co.uk/645322/microsoft-office-2013-is-it-worth-the-upgrade

http://www.pcworld.com/article/2026564/microsoft-office-2013-is-here-hands-on-impressions-and-buying-advice.html

http://www.windowsitpro.com/article/paul-thurrotts-wininfo/microsoft-launches-office-2013-office-365-home-premium-145164

 

QUOTE: Microsoft may have made minimal visual changes to the user interface but Office 2013 is the first such suite to support touchscreen interaction. The standout feature is the inclusion of gesture support and an on-screen keyboard you can actually type on. This will sit well with organisations looking to deploy tablets as more than mere document viewers. Microsoft Word 2013 Reader Mode is a joy to use. The Reader Mode displays the document in a clean and simple manner, removing all of the application’s toolbars and presenting the text as if it was printed on a sheet of paper. For those users that have to proof sheets of pages, Reader Mode is without doubt the best way to do it. Microsoft has saved perhaps the biggest new function in Office 2013 for Excel. This comes in the form of Flash Fill. The feature aims to analyse a column of data and predict values for empty cells with the user simply clicking the Flash Fill button.

Microsoft’s SkyDrive service is just as good as other public cloud offerings such as Google Drive, and could prove to be a valuable repository for users who are constantly on the move.

Microsoft Office 365 Home Premium provides a single Office license for an entire household. With aggressive pricing, Office 365 Home Premium also provides additional benefits, such as extra SkyDrive storage, Skype world calling minutes, and free upgrades for the lifetime of the subscription.

Windows 8 – New Themes and Wallpaper released

New themes for Windows 8 have been released

http://www.neowin.net/news/microsoft-releases-new-windows-8-themes

http://blogs.windows.com/windows/b/windowsexperience/archive/2013/01/28/new-theme-roundup.aspx

QUOTE: We all love to personalise our PCs, from simple wallpaper changes to the most extreme of case mods. To give Windows 8 users a little bit more choice when personalising the OS, Microsoft is releasing new themes and wallpapers for you to download through the Windows Store.

In a cross promotional move with the Xbox 360, Microsoft has created a Halo 4 theme, bringing the “Halo 4 heroes to your Windows desktop.” And it doesn’t stop there, with the popular GTGraphics theme getting a sequel in the form of GTGraphics2. But for the more chilled, relaxed and altogether outdoorsy person, the Garden Life 2, African Wildlife, Ancient Egypt and Thailand themes should satisfy your tastes for all things beautiful, natural and manmade, in the world.

Microsoft has not forgot about the users who haven’t yet moved to Windows 8, or who simply prefer to tweak their desktops from time to time, providing new wallpapers to hopefully satisfy their personalization needs.

More details can be found here:

Windows all versions – Home Page for Themes

http://windows.microsoft.com/en-US/windows/themes

Windows 8 – Home Page for Theme Releases

http://windows.microsoft.com/en-US/windows/themes?T1=allwin8

Windows all versions – New Wallpaper Releases

http://windows.microsoft.com/en-US/windows/wallpaper?T1=new

SQL Slammer Worm – 10th anniversary of dangerous attack

I remember this attack and thankfully we had fortified all servers at work in advance with the key security patches. Also, there was not a dangerous payload, other than lost down time for corporations.  This attack, Blaster, and other similar worms illustrated the danger of not patching.  Corporate servers could get infected simply by being on the Internet with an open port and unpatched software.  This particular exploit caused folks to become more proactive in Patch Management, as it created a major Internet and business disruption.  I believe it is also still running today on a few unpatched servers.

http://www.f-secure.com/weblog/archives/00002491.html

QUOTE: F-Secure warns the computer users about new Internet worm known as Slammer. The worm generates massive amounts of network packets, overloading internet servers. This slows down all internet functions such as sending e-mail or surfing the net.  The worm was first detected in the Internet on January 25, 2003 around 5:30 GMT. After this the worm quickly spread worldwide to generate one of the biggest attacks against internet ever. According to reports, several large web sites and mail servers became unavailable.

Slammer infects only Windows 2000 servers running Microsoft SQL Server, and is therefore not a threat to the end user machines. However, its functions are still visible to the end users by the way it blocks the network traffic.  The worm uses UDP port 1434 to exploit a buffer overflow in MS SQL server. The worm is extremely small, only 376 bytes in size. It has no other functionality than to spread further, but the spreading process is so aggressive that the worm generates extreme loads.  As the worm does not infect any files, an infected machine can be cleaned simply by rebooting the machine. However, if the machine is connected to the network without applying SP2 or SP3 patches for MS SQL Server, it will soon get reinfected.

Java Security – Safety Tips in case you cannot disable

PC magazine offers safety tips and avoiding questionable email or websites will also help protect against attacks

http://securitywatch.pcmag.com/none/307129-if-you-can-t-disable-java-what-can-you-do

QUOTE: Java is under attack. Not only from the black hats who are crafting drive-by-downloads, malicious attachments, and other attacks that exploit the vulnerabilities in the technology, but also from the white hats who argue that users shouldn’t be using it at all. Even after Oracle patched the latest batch of zero-day vulnerabilities in Java, the Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) recommended users turn Java off.  Much like Adobe’s Flash, Java is a popular target because of its tremendously large installed base. If you really don’t use websites that require Java, go ahead and dump it. We even have a nice set of instructions on how to disable Java within your browser.

Then, there are the rest of us who actually use Java on a regular basis.”I doubt that anyone who pays attention to security advice is running Java, IE 6/7/8, et. al. because they want to—we run these things because we have to, and the decision is out of our control,” security guru Jack Daniel wrote on Uncommon Sense Security. Users can adopt a two-browser system. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox. Then, enable Java in an alternative browser such as Chrome, IE9, Safari, etc., and browse only to sites that need Java and never for general Web surfing.  “It is best to enable Java in one browser and only use that browser for websites that will not function without it,” said Wisniewski.

Mobile Phones – Illegal to unlock starting JAN 26, 2013

Stricter terms for the DMCA law went into affect today and prevents changes to cell phone carrier defaults embedded in the device (unless vendor offers capabilites as noted below)

http://www.nbcnews.com/technology/technolog/unlocking-cellphones-becomes-illegal-saturday-1C8086503

QUOTE: The clock to unlock a new mobile phone is running out.In October 2012, the Librarian of Congress, who determines exemptions to a strict anti-hacking law called the Digital Millennium Copyright Act (DMCA), decided that unlocking mobile phones would no longer be allowed. But the librarian provided a 90-day window during which people could still buy a phone and unlock it. That window closes on Jan. 26.

Unlocking a phone frees it from restrictions that keep the device from working on more than one carrier’s network, allowing it run on other networks that use the same wireless standard. This can be useful to international travelers who need their phones to work on different networks. Other people just like the freedom of being able to switch carriers as they please.

The new rule against unlocking phones won’t be a problem for everybody, though. For example, Verizon’s iPhone 5 comes out of the box already unlocked, and AT&T will unlock a phone once it is out of contract. You can also pay full-price for a phone, not the discounted price that comes with a two-year service contract, to receive the device unlocked from the get-go. Apple sells an unlocked iPhone 5 starting at $649, and Google sells its Nexus 4 unlocked for $300. [See also: Can I Get a Smartphone Without a Contract?]

Note that unlocking is different from “jailbreaking,” which opens the phone up for running additional software and remains legal, although it can be risky, for smartphones.

EMAIL Spam – Five Year Low but still represents 2/3 of all email traffic

SPAM attacks have declined as malware writers are using new approaches (e.g., malicious web sites, mobile phones, etc).  Still, there is danger in processing email as approximately 2/3 of all email traffic is spam or malware based.  Some excellent analytical reports by Kaspersky below:

http://www.kaspersky.com/about/news/spam/2013/Spam_in_2012_Continued_Decline_Sees_Spam_Levels_Hit_5_year_Low

QUOTE: According to Kaspersky Lab data, the share of spam in email traffic decreased steadily throughout 2012 to hit a five-year low. The average for the year stood at 72.1% – 8.2 percentage points less than in 2011. Such a prolonged and substantial decrease in spam levels is unprecedented.

The main reason behind the decrease in spam volume is the overall heightened level of anti-spam protection. Spam filters are now in place on just about every email system, even free ones. Also, many email providers have introduced mandatory DKIM signature policies (digital signatures that verify the domain from which emails are sent). Another factor behind the falling levels of spam is inexpensive advertising on legal platforms. With the emergence of Web 2.0, advertising opportunities on the Internet have skyrocketed: banners, context-based advertising, and ads on social networks and blogs.  In spite of the drop in the overall percentage of spam in mail traffic, the proportion of emails with malicious attachments fell only slightly to 3.4%. .

Kaspersky – full Spam Report for 2012

http://www.securelist.com/en/analysis/204792276/Kaspersky_Security_Bulletin_Spam_Evolution_2012

Security Exploit Kits – contain attack code for older patched vulnerabilities

Many popular exploits add new “zero day” vulnerabilites as they emerge (unpatched by vendor).  However, the base architecture of the kit contains numerous older exploits and especially those which can provide the easiest avenues for compromised access.  It is important to patch Windows, Adobe, Java, and all software installed on the PC. The article illustrates value of staying up-to-date on security patches both corporately and at home.

http://securitywatch.pcmag.com/none/307373-zero-day-not-required-diy-hacker-kits-target-older-bugs

QUOTE: Contrary to popular perception, most malware attacks aren’t targeting zero-day vulnerabilities or exotic flaws. In fact, nearly 60 percent of vulnerabilities used by popular exploit kits are more than two years old, according to a new study from Solutionary. Solutionary’s Security Engineering Research Team reviewed 26 common exploit kits and found that old vulnerabilities are still being targeted, according to the Q4 SERT Quarterly Threat Report, released Tuesday. SERT found exploit code dating as far back as 2004, which was “evidence that old vulnerabilities continue to prove fruitful for cyber-criminals,” the company said. It also is a sign that the number of newly discovered and disclosed vulnerabilities has declined since 2010.

Exploit kits make it easy for cyber-criminals to craft malware campaigns without having a lot of technical know-how and skills. With these “do-it-yourself” toolkits, criminals can hack into sites, infect computers with malware, and collect information from compromised users. The creators regularly update the kits with new attacks and features to help criminals make more money. Exploit kits frequently target vulnerabilities in Adobe Flash and Reader, Java, Internet Explorer, and other popular software. “Organizations should not only address zero-day vulnerabilities, but also address missing patches to ensure past vulnerabilities have  been remediated,” the researchers wrote.

Network Printers – Security Vulnerabilities

PC Magazine shares research into how network printers can be manipulated, taken offline, or compromised using special network attack techniques

http://securitywatch.pcmag.com/none/307308-your-network-printer-is-wide-open-to-attack

QUOTE: ViaForensics researcher Sebastian Guerrero recently released a report in which he describes a number of ways attackers could turn your boring, humdrum printer against you. According to his findings, potential vulnerabilities range from having to reset your printer (annoying) to the breach of encrypted documents (terrifying).

The research focuses on the HP-designed JetDirect software, which is used by a number of companies’ printers to easily connect to networks. Part of what JetDirect does is add printer language commands to documents which control certain aspects of the print job, such as formatting the page. “These values are parsed and interpreted by the printer,” wrote Guerrero, whose work was translated from Spanish on viaForensics’ website. “So that if we introduce a value not expected or desired, it may cause the printer to cease to be functional.”

Taking a printer down is not the same as stealing the crown jewels, but it could easily cause havoc inside of an office. Moreover, removing the ability to create hardcopies of critical documents could  force victims to use less secure means to transmit documents—perhaps over email—which would be easier to intercept than a physical document.  We’ve discussed before how true security means more than simply locking down gateways. The new reality is that any network-connected device is a potential vulnerability; whether it’s a network printer, or a VOIP phone. The future of security will likely be a holistic one, which seeks to protect everything connected to a network.

WindowsAndroid – Allows Android apps to run on Windows PC

NextWeb shares an interesting new product which allows the Android operating system to run within Windows.

http://thenextweb.com/apps/2013/01/25/windowsandroid-goes-above-and-beyond-bluestacks-lets-you-run-android-4-0-natively-on-your-pc/

QUOTE: WindowsAndroid is a very cool tool from the Beijing-based startup SocketeQ that lets you run Android 4.0 (Ice Cream Sandwich) as a native application on your on Windows Vista, Windows 7, or Windows 8 machine. The creators tell us they have a deep background in virtualization, operating system, and graphics technologies, and have been working on the project for years. Essentially, WindowsAndroid allows you not only to execute Android apps on your Windows computer, but also use the browser, not to mention every other component of the operating system.

Here’s the official feature list, typos and all:

* Current ported Android version is 4.0.3r1, new version is being developed. * Can run on Windows Vista, Windows 7 and Windows 8. * Has exactly the same user experience with the original Android2. * Integrated with Windows’ applications, such as Flash, Windows Media Player, etc. * Supports any UI resolution, such as 1920×1080 * Supports windowing mode or full-screen mode, window scaling in windowing mode, and switching between windowing mode and full screen mode. * Supports IO devices such as mouse, keyboard, remote control. * Supports Ethernet, pppoe

Facebook – Storify application may retrieve some private data

This popular data gathering application may pickup some items which are marked as private.  Wise advice is offered in this article by Facecrooks Security to avoid posting anything that is sensitive in nature.

http://facecrooks.com/Internet-Safety-Privacy/Private-Facebook-Statuses-Exposed-By-Storify.html

QUOTE: Storify is a popular online curation tool that gathers pictures, status updates, videos and more into one convenient place. However, Julie Pippert, founder of Artful Media Group, discovered a loophole in the service that allows private Facebook statuses to be made public via the tool.  The app can pull private Facebook statuses from groups despite privacy settings. It displays the text of the post next to a picture of the user, completely compromising the privacy of many users who most likely thought their content was safe from prying eyes. Storify obtains this seemingly private information through a process similar to copy and paste and screen grab functions.

Facebook released a statement to Mashable saying that the app isn’t obtaining any data from Facebook through its API.  This Storify problem serves as only the latest reminder that nothing is really private or hidden on the web. If you don’t want something getting out there, don’t post it on the Internet, plain and simple. It doesn’t matter what barriers your content lie behind; there’s a good chance it could get out anyway. Be more thoughtful and careful about what you post and you don’t have to worry about it.