Security Protection – Harry Waldron MVP Rotating Header Image

June, 2013:

Scam Email – New version of Winning Lottery Ticket

While most users avoid these scams, the bad guys can still take advantage of others.  All free offers should be avoided or carefully evaluated to ensure there is no danger.

http://www.threattracksecurity.com/it-blog/the-bill-gates-lottery-winning-ticket-scam-is-amazing/

QUOTE: A friend of mine had this sent to them by an elderly relative earlier today. Unfortunately they didn’t keep the sender’s email address, but they did have enough foresight to save the message text and accompanying picture because it “looked a bit different”.

“Ladies and gentlemen, presenting: “A bit different” – “Dear Winner,We send you this letter to inform you that you win a sum of 250,000 euros.Bravo,Bill Gates” ” The most amazing thing you’ll see all day.  Unfortunately, it doesn’t say “PS you also won this picture”.  As with all fake lottery scams, feel free to delete.

Facebook Privacy – Lock down Phone and sensitive information

Facecrooks security reports a recent proof-of-concept test allowed phone numbers set to the “public everyone” status to be collected.  Users should lock down privacy settings in social networking sites.

http://facecrooks.com/Internet-Safety-Privacy/Hacker-Collects-Thousands-of-Phone-Numbers-Using-Graph-Search.html

QUOTE: On March 5, Copley reported a tip to Facebook pointing out the security flaw in Graph Search. Facebook wrote him back acknowledging the problem, though they said that all they can do to remedy it is to encourage users to strengthen their security settings. He gathered the massive database of numbers as a response to them, using API tokens to perform millions of searches for phone numbers.

Anti-Virus Evaulation – PC Magazine June 2013

PC Magazine evaluated several AV products recently and results can be found in link below

http://securitywatch.pcmag.com/security-software/313198-the-best-antivirus-software-new-winners-and-losers

QUOTE: Those malware coders who cobble together all the Trojans, viruses, and other nasty programs are constantly working on new creations, hoping to get past existing antivirus defenses. Security vendors are likewise constantly working on new technologies to foil the bad guys. That means PCMag’s long running Best Antivirus story is a work in progress. The latest revision, published earlier this week, adds nine new or updated programs, some of which are quite interesting.

Microsoft Security – Best Practices Home Page

Latest best practice links for corporate and home security are noted below:

Microsoft Security – Best Practices Home Page

http://technet.microsoft.com/en-us/library/dd366071.aspx

Microsoft Best Practices
Authentication for Administrative Authority Best Practices for Applying Service Packs, Hotfixes and Security Patches Best Practices for Enterprise Security Best Practices for Preventing DoS/Denial of Service Attacks Best Practices for Mitigating RPC and DCOM Vulnerabilities Distributed Denial-of-Service Attacks and You How ISA Server Can Be Configured to Stop the Code Red Worm Inside the Secure Windows Initiative Introduction to Security Manage Security of Your Windows IIS Web Services Managing Mobile Code with Microsoft Technologies Noticing and Responding To Network-Borne Attacks PSS Security Team Security Alert Severity Matrix Security Content Overview



MICROSOFT HOME USER SECURITY – HOME PAGE

http://www.microsoft.com/security/default.aspx



SIX SAFETY TIPS FOR HOME USERS

http://www.microsoft.com/security/family-safety/online-safety-tips.aspx

Microsoft – Best Practices for Enterprise Security

There are approximately two dozen beneficial links that tie into the four broad disciplines below:

http://technet.microsoft.com/en-us/library/dd277328.aspx

QUOTE: To help you evaluate and plan the security of your network, Microsoft has compiled a list of best practices for securing an enterprise. This list is not meant to replace a full security assessment of your infrastructure, but is intended to point out a number of the key items that we have identified as areas for evaluation after working with our customers over the last year. These items fall in four main categories:

1. Assess Your Environment

2. Protect Your Network

3. Protect Your Servers and Clients

4. Monitor Your Environment

 

Facebook – Best Practices in double locking account privacy

PC Magazine shares two worthwhile privacy settings that will enhance both privacy and security in using Facebook … and most importantly always use an “air of caution” in entering any sensitive information into this environment in account settings or public comments

http://securitywatch.pcmag.com/security/313078-double-lock-your-facebook-profile

QUOTE: Earlier this week, TechCrunch reported that an app developer had scraped around 2.5 million phone numbers using Facebook’s Graph Search. These were all from users who left their contact info public. You’re smart; you’ve configured Facebook so that only your friends can view your contact information. It turns out, though, that this isn’t sufficient to keep hackers from getting access to your contact information. Cloudmark’s Andrew Conway explains in a blog post that even when your info is private it may still be accessible

Double-Lock Your Profile:  To make sure you don’t become a victim, log into your Facebook account and click the padlock privacy icon at top right. Check first to be sure “Who can see you future posts?” is not set to Public. Set it so only Friends can see your posts; you can also limit visibility to a subset of your full Friends list.  Now, to hide from phone-scraping hackers, set the two “Who can look you up…” options to Friends. If you’re feeling expansive, you might set them to Friends of Friends. Just don’t leave these settings Public, and turn off search engine indexing as well.

For more advice on securing your Facebook profile, see It’s Time to Check Your Facebook Privacy Settings.

 

Facebook – Network traffic will be strengthened in future

Facebook plans to further strenghten network message encryption beyond current HTTPS standard processing as reflected below:

http://www.nbcnews.com/technology/facebook-strengthen-security-old-school-crypto-technique-6C10476610

QUOTE: Many websites support what’s called HTTPS, an encrypted version of the normal HTTP protocol used to weave together the World Wide Web. But the way it’s implemented, there’s the possibility that a hacker (or the NSA) could get hold of the site’s “master key,” allowing them to peep in on all the site’s encrypted traffic like it was never secured in the first place.  “Perfect forward secrecy” is an advanced form of HTTPS that throws away the master key and essentially makes a new key every time someone connects. That way, even if a would-be eavesdropper manages to intercept or crack one key, they’d only have access to that one connection — and only for as long as it lasted.   Google implemented this in 2011, and now Facebook is working on adding it as well, according to CNET. It make things a lot harder for someone trying to tap into your traffic, but just keep in mind, it won’t prevent data from escaping via bugs or those legally required disclosures we’ve been hearing so much about.

 

South Korea – June 2013 cyber-attacks

Trend Labs documents multiple and extensive cyber-attacks, including Government web sites

http://blog.trendmicro.com/trendlabs-security-intelligence/south-korean-government-dns-servers-targeted-by-ddos-attacks/

http://blog.trendmicro.com/trendlabs-security-intelligence/compromised-auto-update-mechanism-affects-south-korean-users/

QUOTE: Our investigation of the June 25 South Korea incident led us to the compromise of an auto-update mechanism attack scenario. As part of our continuous monitoring, we documented another scenario (presented in this blog entry) pertaining to a DDoS attack scenario launched at specific sites.  The recent attack against South Korean websites has revealed a certain similarity between this attack and the March 20 MBR Wiper incident: a time trigger.

Recall that the March 20 MBR wiper attack involved a malware that was set to wipe the MBR files of affected systems at specific times (triggers were set to either at or before 2PM on March 20, 2013, or 3PM or later on the same date. This trigger date is dependent on files downloaded from certain URLs that function, in effect, as commands that specify when the DDoS attack will occur. We also uncovered that the malware re-checks the trigger time to re-execute the DDoS component every 24 hours for 3 days to possibly ensure that the DDoS attack occurs for a specific duration of time.

Google – New Geographic Malware Analytical site

F-Secure shares a Google Security team blog post, reflecting a new summarized malware analysis by location

http://www.f-secure.com/weblog/archives/00002571.html

http://googleonlinesecurity.blogspot.fi/2013/06/transparency-report-making-web-safer.html

QUOTE: Yesterday, Google announced on its Online Security Blog that it will now include Safe Browsing statistics in its Transparency Report.  The Safe Browsing Malware Dashboard is fascinating. Here’s last week’s Malware Distribution by Autonomous System, using just the “Attack Sites” filter.  The location of the attack sites by AS?  Hmm, the USA (San Diego) is at the top.

1. USA 2. Russia 3. Ukraine

Facebook – Data breach exposed 6 million users

Facebook has closed a recently discovered privacy glitch where sensitive fields were being sent when other users sought contact information.

http://www.reuters.com/article/2013/06/21/net-us-facebook-security-idUSBRE95K18Y20130621

QUOTE: Facebook Inc has inadvertently exposed 6 million users’ phone numbers and email addresses to unauthorized viewers over the past year, the world’s largest social networking company disclosed late Friday. Facebook blamed the data leaks, which began in 2012, on a technical glitch in its massive archive of contact information collected from its 1.1 billion users worldwide. As a result of the glitch, Facebook users who downloaded contact data for their list of friends obtained additional information that they were not supposed to have.

Facebook’s security team was alerted to the bug last week and fixed it within 24 hours. But Facebook did not publicly acknowledge the bug until Friday afternoon, when it published an “important message” on its blog explaining the issue. A Facebook spokesman said the delay was due to company procedure stipulating that regulators and affected users be notified before making a public announcement.

“We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook said on its blog. While the privacy breach was limited, “it’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again,” it added.