Security Protection – Harry Waldron MVP Rotating Header Image

May, 2013:

USA Electric Grid – Persistent Cyber Attacks during 2013

Over a dozen utility companies have acknowledged they experience daily attacks as noted in the Bit9 security blog:

https://blog.bit9.com/2013/05/30/us-electric-grid-under-persistent-cyber-attack/

QUOTE: A recent report by Reps. Edward Markey (D-Mass.) and Henry Waxman (D-Calif.) referenced more than a dozen utility companies that acknowledged they experience daily persistent cyber attacks. Although statistically similar to companies in other sectors, there is more concern because a cyber attack on the U.S. energy sector has potential to be economically devastating and lead to loss of lives.

Even though North American Electric Reliability Corporation (NERC) compliance standards forbid control systems being connected to consumer-facing or administrative networks, NERC’s reach only goes so far, leaving out oversight on important industries such as oil and gas. We hear regularly about “N” million credit card numbers hacked or “Q” million user credentials stolen, despite the fact that almost all of the affected companies were PCI compliant.

When utilities start thinking that compliance = security, that’s a problem. Compliance is a great place to begin the security conversation, but organizations need to go further than what’s mandated. When we think of legacy hardware out in the field that a) need to be connected to the Internet to receive up-to-date antivirus protection, or b) are not connected to the Internet and therefore have static protection, we have to ask ourselves if these systems are really protected at all.

BIOS Security – New proof-of-concept malware can bypass security

Potential new BIOS security attacks are being analyzed by security researchers with possible POC malware demonstrated at the next Black Hat convention this summer

http://www.darkreading.com/vulnerability/bios-bummer-new-malware-can-bypass-bios/240155473

QUOTE: As more hardware vendors seek to implement the new NIST 800-155 specification that was designed to make the start-up BIOS firmware on our PCs and laptops more secure, they may need to rethink the security assumptions upon which the standard depends. A trio of researchers from The MITRE Corp. say that the current approach relies too heavily on access control mechanisms that can easily be bypassed.  The researchers are taking their message to Black Hat USA later this summer in a talk where they plan to unveil new malware proofs-of-concept that can trick an endpoint’s Trusted Platform Module (TPM) chip into thinking the BIOS firmware is clean and can persist infecting the BIOS after it has been flashed, or reset, or even after it has been updated.

“The first one we’re going to introduce is called the tick, which is a stealth malware that lives in the firmware, so it’s persistent past reflashes and is able to forge the TPM’s PCR values to provide a known good expected value,” Butterworth says. “The second one we’ll introduce what we call the flea because it is able to jump from one BIOS revision to the next. Whereas the tick can easily be removed if you simply update or upgrade your BIOS revision, the flea is actually able to sense that firmware is about to be updated and is able to clone itself into the update image.”

Social Networking – Controls needed to prevent underage users

Effective July 1st, revised US privacy laws will require parental consent.  As this article from Facecrooks security notes, improved controls are needed to ensure all users meet age restriction requirements.

http://facecrooks.com/Internet-Safety-Privacy/Preteens-Use-of-Instagram-has-Privacy-and-Safety-Advocates-Concerned.html

QUOTE: More and more teenagers (and even preteens) are moving away from traditional social media sites like Facebook and Twitter and embracing photo-sharing services like Instagram and SnapChat. However, while pre-teens are not technically allowed to use Instagram (the minimum age is 13), many do easily, and with few questions asked.   “Facebook is not doing enough to ensure children under 13 don’t have access to the site,” said Joy Spencer, a director of child safety for the Center for Digital Democracy. “That raises a number of concerns about safety, and because Instagram then is able to collect personally identifiable information on children, which can be used to target ads toward them in the future.”

Instagram does not ask for any personal information during registration, allowing pre-teens to easily register for the site. (Facebook, for its part, asks personal information to determine if someone is underage.) However, a new revision to U.S. child privacy law that takes effect on July 1 will require social networks to get parental consent if they collect personal information such as photos, email addresses or videos from underage users. Determining age online is difficult, and the new revision on July 1 will be even harder to police. However, photo sharing sites like Instagram are exploding in popularity among young users, and the sites’ privacy settings must catch up to the boom.

Google’s Chrome 27 – Security updates

While link below is more oriented to Apple OSX environment, version 27 also became available for Windows also

http://www.intego.com/mac-security-blog/googles-chrome-27-includes-security-fixes-and-more/

 

The Google team has updated its web browser to Google Chrome 27.0.1453.93 for Mac and other operating systems, which includes security fixes for fourteen vulnerabilities (11 high-level bugs, 2 medium-level bugs, and 1 low-level bug). Google provided $14,633.70 in rewards to the security researchers who provided information about the vulnerabilities covered in this software update. Following are details of all security issues fixed in Chrome version 27.0.1453.93:

CVE-2013-2836: Various fixes from internal audits, fuzzing and other initiatives.
CVE-2013-2837: Use-after-free in SVG.
CVE-2013-2838: Out-of-bounds read in v8.
CVE-2013-2839: Bad cast in clipboard handling.
CVE-2013-2840: Use-after-free in media loader.
CVE-2013-2841: Use-after-free in Pepper resource handling.
CVE-2013-2842: Use-after-free in widget handling.
CVE-2013-2843: Use-after-free in speech handling.
CVE-2013-2844: Use-after-free in style resolution.
CVE-2013-2845: Memory safety issues in Web Audio.
CVE-2013-2846: Use-after-free in media loader.
CVE-2013-2847: Use-after-free race condition with workers.
CVE-2013-2848: Possible data extraction with XSS Auditor.
CVE-2013-2849: Possible XSS with drag+drop or copy+paste.

In addition to security fixes, the Google team mentioned the web browser includes the following new items:

* Web pages load 5% faster on average * chrome.syncFileSystem API * Improved ranking of predictions, improved spell correction, and numerous fundamental improvements for Omnibox predictions

Chrome 27 also contains a new Adobe Flash build. You can find more information about Adobe’s newest software updates here.

Deloitte Study – 90 percent of passwords vulnerable to brute force attacks

This article shares techniques to create stronger passwords

http://securitywatch.pcmag.com/security/312068-infographic-the-smart-approach-to-password-creation

QUOTE: In a recent study, Deloitte reported that over 90 percent of passwords created by individual users are “vulnerable to hacking in a matter of seconds.” This includes stupid passwords like “password” and “123456,” but also includes “those considered strong by IT departments.” The researchers determined that a dictionary of the 10,000 most common passwords would match over 98 percent of all secured accounts. How can you improve your passwords? Sophos suggests you just need to be smart.  Well, actually, they suggest you need to be S.M.A.R.T. That’s a reminder to use five specific best practices when creating passwords: Strong, Multi-character, Avoid associations, Random, and Tools.

Facebook – New Fan Page verification scam

This new phishing attack targets page administrators to divulge credentials that could be misused later

http://facecrooks.com/Scam-Watch/Fan-Page-Verification-Scam-Targets-Facebook-Page-Administrators.html

http://www.hoax-slayer.com/fan-page-verification-scam.shtml

QUOTE: A new phishing scam on Facebook claims that page administrators need to verify page ownership by submitting their Facebook username and password. Of course, it’s just a ploy to divest users of their personal info, as is made abundantly clear in the scam’s poorly-worded and grammatically incorrect “official” message from Facebook:

“Dear Facebook User,” the scam message reads, “You are receiving this message to notify you about the new security feature from Facebook called ‘Fan Page Verification Program’. After many Fan Pages have been stolen lately leaving us no choice but Deleting them forever, we had to come up with an original solution about the Fan Page’s Security. Luckily, your Fan Page, has a lot of likes and provides High Quality Content, which qualify it for this program.”

Microsoft Windows 8.1 – Summary of New Features

Summary from several evaluations below:

http://www.networkworld.com/news/2013/053013-microsoft-outs-the-new-features-270303.html

http://www.eweek.com/enterprise-apps/start-button-returns-in-windows-8.1/

http://www.informationweek.com/windows/operating-systems/windows-81-restores-start-button-with-tw/240155767?cid=nl_IW_daily_2013-05-30_html

http://www.pcmag.com/article2/0,2817,2419698,00.asp

http://www.zdnet.com/windows-blue-whats-new-on-the-search-front-7000016075/

http://www.zdnet.com/windows-8-1-unveiled-will-it-change-your-mind-about-windows-8-7000016112/

QUOTE: Microsoft announced Thursday that Windows 8.1 will restore the Start button and include a boot-to-desktop option, confirming a series of reports published the previous afternoon.  At face value, the tweaks smooth over several of Windows 8’s most-criticized rough edges. What remains to be seen, however, is if the new features’ implementations will mollify detractors, or merely shift criticism for the OS, which has struggled to gain users, in a different direction.

START BUTTON: Desktop diehards will find a present waiting for them in Windows 8.1, the impending upgrade colloquially dubbed “Windows Blue.” A wonderful, horrible, oh-so-teasing present. The Start button is back–but the Start menu isn’t. Instead, clicking the old familar button will dump you into the modern UI Start screen. While the new feature is notable for adding a helpful visual cue to an operating system rife with hidden menus, it isn’t exactly what people begging for the return of the Start button were looking for

BOOT DESKTOP MODE: The modern-style PC setting options is also getting a big boost. One of the biggest complaints about Windows 8 is the way it constantly swaps you back and forth between the desktop and modern interfaces, a problem exacerbated by the fact that you have to dive into the desktop control panel to tinker with under-the-hood stuff. No more.

IE11: Internet Explorer 11 will make its debut in Windows 8.1, as well. While most of the tweaks sounds fairly basic–faster page loads, better touch performance–it’s also adding the tab syncing feature seen in leaked builds of Blue, allowing you to open tabs across multiple Windows 8.1 PCs and tablets.

DEVICE SYNC: Speaking of, Windows 8.1 also adds the ability to sync your settings and Start screen apps across multiple devices, assuming you sign in to those devices using an online-connected Microsoft account.

TILE RE-SIZING: More minute improvements include more Live Tile sizing options, additional category filters in the All Apps screen, and a plethora of Start screen tile shuffling options.

SLIDE SHOW – sneak preview of new features http://www.networkworld.com/slideshow/100153/windows-blue-a-sneak-peek.html

Firefox 23 improves security in mixed secure mode

Firefox 23 features improved security for webpages with mixed http and https modes

https://blog.mozilla.org/security/2013/05/16/mixed-content-blocking-in-firefox-aurora/

QUOTE: Firefox 23 moved from Nightly to Aurora this week, bundled with a new browser security feature. The Mixed Content Blocker is enabled by default in Firefox 23 and protects our users from man-in-the-middle attacks and eavesdroppers on HTTPS pages. When an HTTPS page contains HTTP resources, the HTTP resources are called Mixed Content. With the latest Aurora, Firefox will block certain types of Mixed Content by default, providing a per-page option for users to “Disable Protection” and override the blocking.

Cyber Crime Impact for 2012 was $500 million

http://securitywatch.pcmag.com/internet-crime/311558-cyber-criminals-stole-500-million-in-internet-crime-in-2012

QUOTE: Cyber-criminals stole more than a half-billion dollars last year, relying on a variety of scams including fake sales, extortion, and scareware, according to the latest figures from the Internet Crime Complaint Center. The Internet Crime Complaint Center (IC3) received 289,874 complaints, or approximately 24,000 complaints a month, in 2012, according to the 2012 Internet Crime Report released this week. Nearly 40 percent of the complaints reported some kind of financial loss, for a grand total of $525,441,110. The average loss for those who claimed a financial impact was $4,573, according to the report

Windows 8.1 – Overview of New Features

Further Details on “Windows Blue” project announced today.

http://blogs.windows.com/windows/b/bloggingwindows/archive/2013/05/30/continuing-the-windows-8-vision-with-windows-8-1.aspx

QUOTE: Windows 8.1 will advance the bold vision set forward with Windows 8 to deliver the next generation of PCs, tablets, and a range of industry devices, and the experiences customers — both consumers and businesses alike — need and will just expect moving forward. It’s Windows 8 even better. Not only will Windows 8.1 respond to customer feedback, but it will add new features and functionality that advance the touch experience and mobile computing’s potential. Windows 8.1 will deliver improvements and enhancements in key areas like personalization, search, the built-in apps, Windows Store experience, and cloud connectivity. Windows 8.1 will also include big bets for business in areas such as management and security – we’ll have more to say on these next week at TechEd North America. Today, I am happy to share a “first look” at Windows 8.1 and outline some of the improvements, enhancements and changes customers will see.