Security Protection – Harry Waldron MVP Rotating Header Image

January 26th, 2013:

Java Security – Safety Tips in case you cannot disable

PC magazine offers safety tips and avoiding questionable email or websites will also help protect against attacks

http://securitywatch.pcmag.com/none/307129-if-you-can-t-disable-java-what-can-you-do

QUOTE: Java is under attack. Not only from the black hats who are crafting drive-by-downloads, malicious attachments, and other attacks that exploit the vulnerabilities in the technology, but also from the white hats who argue that users shouldn’t be using it at all. Even after Oracle patched the latest batch of zero-day vulnerabilities in Java, the Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) recommended users turn Java off.  Much like Adobe’s Flash, Java is a popular target because of its tremendously large installed base. If you really don’t use websites that require Java, go ahead and dump it. We even have a nice set of instructions on how to disable Java within your browser.

Then, there are the rest of us who actually use Java on a regular basis.”I doubt that anyone who pays attention to security advice is running Java, IE 6/7/8, et. al. because they want to—we run these things because we have to, and the decision is out of our control,” security guru Jack Daniel wrote on Uncommon Sense Security. Users can adopt a two-browser system. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox. Then, enable Java in an alternative browser such as Chrome, IE9, Safari, etc., and browse only to sites that need Java and never for general Web surfing.  “It is best to enable Java in one browser and only use that browser for websites that will not function without it,” said Wisniewski.

Mobile Phones – Illegal to unlock starting JAN 26, 2013

Stricter terms for the DMCA law went into affect today and prevents changes to cell phone carrier defaults embedded in the device (unless vendor offers capabilites as noted below)

http://www.nbcnews.com/technology/technolog/unlocking-cellphones-becomes-illegal-saturday-1C8086503

QUOTE: The clock to unlock a new mobile phone is running out.In October 2012, the Librarian of Congress, who determines exemptions to a strict anti-hacking law called the Digital Millennium Copyright Act (DMCA), decided that unlocking mobile phones would no longer be allowed. But the librarian provided a 90-day window during which people could still buy a phone and unlock it. That window closes on Jan. 26.

Unlocking a phone frees it from restrictions that keep the device from working on more than one carrier’s network, allowing it run on other networks that use the same wireless standard. This can be useful to international travelers who need their phones to work on different networks. Other people just like the freedom of being able to switch carriers as they please.

The new rule against unlocking phones won’t be a problem for everybody, though. For example, Verizon’s iPhone 5 comes out of the box already unlocked, and AT&T will unlock a phone once it is out of contract. You can also pay full-price for a phone, not the discounted price that comes with a two-year service contract, to receive the device unlocked from the get-go. Apple sells an unlocked iPhone 5 starting at $649, and Google sells its Nexus 4 unlocked for $300. [See also: Can I Get a Smartphone Without a Contract?]

Note that unlocking is different from “jailbreaking,” which opens the phone up for running additional software and remains legal, although it can be risky, for smartphones.

EMAIL Spam – Five Year Low but still represents 2/3 of all email traffic

SPAM attacks have declined as malware writers are using new approaches (e.g., malicious web sites, mobile phones, etc).  Still, there is danger in processing email as approximately 2/3 of all email traffic is spam or malware based.  Some excellent analytical reports by Kaspersky below:

http://www.kaspersky.com/about/news/spam/2013/Spam_in_2012_Continued_Decline_Sees_Spam_Levels_Hit_5_year_Low

QUOTE: According to Kaspersky Lab data, the share of spam in email traffic decreased steadily throughout 2012 to hit a five-year low. The average for the year stood at 72.1% – 8.2 percentage points less than in 2011. Such a prolonged and substantial decrease in spam levels is unprecedented.

The main reason behind the decrease in spam volume is the overall heightened level of anti-spam protection. Spam filters are now in place on just about every email system, even free ones. Also, many email providers have introduced mandatory DKIM signature policies (digital signatures that verify the domain from which emails are sent). Another factor behind the falling levels of spam is inexpensive advertising on legal platforms. With the emergence of Web 2.0, advertising opportunities on the Internet have skyrocketed: banners, context-based advertising, and ads on social networks and blogs.  In spite of the drop in the overall percentage of spam in mail traffic, the proportion of emails with malicious attachments fell only slightly to 3.4%. .

Kaspersky – full Spam Report for 2012

http://www.securelist.com/en/analysis/204792276/Kaspersky_Security_Bulletin_Spam_Evolution_2012

Security Exploit Kits – contain attack code for older patched vulnerabilities

Many popular exploits add new “zero day” vulnerabilites as they emerge (unpatched by vendor).  However, the base architecture of the kit contains numerous older exploits and especially those which can provide the easiest avenues for compromised access.  It is important to patch Windows, Adobe, Java, and all software installed on the PC. The article illustrates value of staying up-to-date on security patches both corporately and at home.

http://securitywatch.pcmag.com/none/307373-zero-day-not-required-diy-hacker-kits-target-older-bugs

QUOTE: Contrary to popular perception, most malware attacks aren’t targeting zero-day vulnerabilities or exotic flaws. In fact, nearly 60 percent of vulnerabilities used by popular exploit kits are more than two years old, according to a new study from Solutionary. Solutionary’s Security Engineering Research Team reviewed 26 common exploit kits and found that old vulnerabilities are still being targeted, according to the Q4 SERT Quarterly Threat Report, released Tuesday. SERT found exploit code dating as far back as 2004, which was “evidence that old vulnerabilities continue to prove fruitful for cyber-criminals,” the company said. It also is a sign that the number of newly discovered and disclosed vulnerabilities has declined since 2010.

Exploit kits make it easy for cyber-criminals to craft malware campaigns without having a lot of technical know-how and skills. With these “do-it-yourself” toolkits, criminals can hack into sites, infect computers with malware, and collect information from compromised users. The creators regularly update the kits with new attacks and features to help criminals make more money. Exploit kits frequently target vulnerabilities in Adobe Flash and Reader, Java, Internet Explorer, and other popular software. “Organizations should not only address zero-day vulnerabilities, but also address missing patches to ensure past vulnerabilities have  been remediated,” the researchers wrote.

Network Printers – Security Vulnerabilities

PC Magazine shares research into how network printers can be manipulated, taken offline, or compromised using special network attack techniques

http://securitywatch.pcmag.com/none/307308-your-network-printer-is-wide-open-to-attack

QUOTE: ViaForensics researcher Sebastian Guerrero recently released a report in which he describes a number of ways attackers could turn your boring, humdrum printer against you. According to his findings, potential vulnerabilities range from having to reset your printer (annoying) to the breach of encrypted documents (terrifying).

The research focuses on the HP-designed JetDirect software, which is used by a number of companies’ printers to easily connect to networks. Part of what JetDirect does is add printer language commands to documents which control certain aspects of the print job, such as formatting the page. “These values are parsed and interpreted by the printer,” wrote Guerrero, whose work was translated from Spanish on viaForensics’ website. “So that if we introduce a value not expected or desired, it may cause the printer to cease to be functional.”

Taking a printer down is not the same as stealing the crown jewels, but it could easily cause havoc inside of an office. Moreover, removing the ability to create hardcopies of critical documents could  force victims to use less secure means to transmit documents—perhaps over email—which would be easier to intercept than a physical document.  We’ve discussed before how true security means more than simply locking down gateways. The new reality is that any network-connected device is a potential vulnerability; whether it’s a network printer, or a VOIP phone. The future of security will likely be a holistic one, which seeks to protect everything connected to a network.

WindowsAndroid – Allows Android apps to run on Windows PC

NextWeb shares an interesting new product which allows the Android operating system to run within Windows.

http://thenextweb.com/apps/2013/01/25/windowsandroid-goes-above-and-beyond-bluestacks-lets-you-run-android-4-0-natively-on-your-pc/

QUOTE: WindowsAndroid is a very cool tool from the Beijing-based startup SocketeQ that lets you run Android 4.0 (Ice Cream Sandwich) as a native application on your on Windows Vista, Windows 7, or Windows 8 machine. The creators tell us they have a deep background in virtualization, operating system, and graphics technologies, and have been working on the project for years. Essentially, WindowsAndroid allows you not only to execute Android apps on your Windows computer, but also use the browser, not to mention every other component of the operating system.

Here’s the official feature list, typos and all:

* Current ported Android version is 4.0.3r1, new version is being developed. * Can run on Windows Vista, Windows 7 and Windows 8. * Has exactly the same user experience with the original Android2. * Integrated with Windows’ applications, such as Flash, Windows Media Player, etc. * Supports any UI resolution, such as 1920×1080 * Supports windowing mode or full-screen mode, window scaling in windowing mode, and switching between windowing mode and full screen mode. * Supports IO devices such as mouse, keyboard, remote control. * Supports Ethernet, pppoe