Security Protection – Harry Waldron MVP Rotating Header Image

August, 2013:

JAVA Security – Increased native layer attacks reported

Trend Micro updates further developments for Java security attacks. Oracle is improving Java security over time and this documents new sophistication in current approaches:

http://blog.trendmicro.com/trendlabs-security-intelligence/java-native-layer-exploits-going-up/

QUOTE: Recently, security researchers disclosed two Java native layer exploits (CVE-2013-2465 and CVE-2013-2471). This caused us too look into native layer exploits more closely, as they have been becoming more common this year. At this year’s Pwn2Own competition at CanSecWest, Joshua Drake showed CVE-2013-1491, which was exploitable on Java 7 running on Windows 8. CVE-2013-1493 has become a popular vulnerability to target in exploits kits such as Blackhole.

Facebook – Privacy changes coming September 5, 2013

Facebook will be updating their privacy policy in early September as noted below

https://www.facebook.com/notes/facebook-site-governance/proposed-updates-to-our-governing-documents/10153167395945301

http://bits.blogs.nytimes.com/2013/08/29/facebook-to-update-privacy-policy-but-adjusting-settings-is-no-easier/

QUOTE: We are proposing updates to two important legal documents – our Data Use Policy and our Statement of Rights and Responsibilities. These two documents tell you about how we collect and use data, and the rules that apply when you choose to use Facebook. From time to time we update these documents to make sure we keep you posted about the latest things you can do with Facebook.

Android Security – 7000 Malicious apps discovered in 1st half of 2013

Mobile phone users should exercise caution as malicious applications are circulating with many noted in China app download centers

http://securitywatch.pcmag.com/mobile-security/315218-nearly-7-000-malicious-android-apps-infest-china-s-appstores

QUOTE: The independent testing lab AV-Comparatives has released the results of a six-month long study of third-party Android app stores. They found that most of the dangerous apps are concentrated in Chinese stores, and encountered about 7,000 dangerous apps in third-party stores. Now that’s a number to worry about. The study ran from November 2012 to May 2013, and looked at 20 major third-party app stores. Of these stores, most are known to be located in China and the region also boasts the most malware found in a single store (1,637 malicious apps in the Anzhi store, but more on that later).  In total, AV-Comparatives found 7,175 pieces of malware and greyware, the latter of which the company defines as things like spyware and adware which is risky but not necessarily malicious. Of the dangerous apps, 95 percent were concentrated in Chinese stores.

Windows XP – April 8, 2014 End of Product Lifecycle

Microsoft’s direct support for Windows XP ends on April 8, 2014.   All home & corporate users should prepare in advance and migrate to Windows 7 or 8 well ahead of this event.

http://technet.microsoft.com/library/dn283963.aspx

QUOTE:  It has been twelve years since the release of Windows XP and the world has changed so much since then.  Internet usage has grown from ~361 million to more than 2.4 billion users.  We have witnessed the rise of the internet citizen with members of society connected through email, instant messaging, video-calling, social networking and a host of web-based and device-centric applications.  As the internet becomes more and more woven into the fabric of society, it has also become an increasingly popular destination for malicious activity (as evidenced in the Microsoft Security Intelligence Report.)  Given the rapid evolution, software security has had to evolve to stay ahead of cybercrime.  To help protect users from rapid changes in the threat landscape, Microsoft typically provides support for business and developer products for 10 years after product release, and most consumer, hardware, and multimedia products for five years after product release.

Per our long established product support lifecycle, after April 8, 2014, Windows XP SP3 users will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.  This means that any new vulnerabilities discovered in Windows XP after its end of life will not be addressed by new security updates by Microsoft.  Moving forward, this will likely make it easier for attackers to successfully compromise Windows XP-based systems using exploits for unpatched vulnerabilities. In this scenario, antimalware software and other security mitigations are severely disadvantaged and over time and will become increasingly unable to protect the Windows XP platform.

Windows 8 Security – Overview from Technet August 2013 securtiy newsletter

Key links were featured in AUGUST 2013 Microsoft Security newsletter:

http://technet.microsoft.com/library/dn283963.aspx?ocid=wc-nl-secnews

Windows 8 Security Overview Familiarize yourself with the enterprise-grade security features in Windows 8 that can protect your devices and data from unauthorized access and threats like malware. Looking for information on what’s changed in security in Windows 8.1? See What’s New in Windows 8.1 and the Windows 8.1 Preview FAQ.

Securing the Windows 8 Boot Process When you run Windows 8 on a Windows 8 certified PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power your PC on until your antimalware starts. Learn how Trusted Boot provides better startup security for both company- and personally-owned PCs then get answers to common questions with a short demo and the Windows 8 Boot Security FAQ. Windows RT in the Enterprise: Security Overview Windows RT is designed to leverage all of the security technologies present in Windows 8. Learn how Windows RT not only does supports these technologies, but how many of them are required for all Windows RT devices to help ensure that devices are protected from the first time they are turned on. Preparing for BitLocker: Planning and Policies When you design your BitLocker deployment strategy, you will need to define the appropriate policies and configuration requirements based on the business requirements of your organization. This article will show you how to collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. Curious about a specific aspect of BitLocker deployment or management? Check out the BitLocker FAQ. Demo: Deploy BitLocker with MDT and Windows PowerShell With Windows 8, you can more quickly enable BitLocker Drive Encryption during operating-system deployment. Now you can pre-provision BitLocker before installing Windows 8, and it can encrypt used disk space, rather than encrypting the entire drive. Learn how to deploy BitLocker by using the Microsoft Deployment Toolkit (MDT) and Windows PowerShell. Try It Out: Encrypt Used Space Only BitLocker in Windows 8 introduces Used Disk Space Only encryption, which gives you the option to encrypt only space on the drive that is actively being used. Use this quick step-by-step guide to try this process for yourself. Manage the Identity Lifecycle Managing identity is ultimately about managing access to your corporate resources. Users authenticate to resources with their identity, then use the properties of that identity (for example, group membership) to get authorized access to resource. See why having a good identity management system in place—with a standard process for provisioning and updating user accounts with their proper groups and other authorizations—helps ensure the right users have access to the right resources.

Department of Homeland Security – Android O/S Security study

Department of Homeland Security released concerns on growing threat of Android malware and need for improved security controls

http://info.publicintelligence.net/DHS-FBI-AndroidThreats.pdf


QUOTE:  A report from the U.S. Department of Homeland Security shows that the government is becoming increasingly concerned about Android security threats. If the feds are grappling with how to keep Android phones secure, maybe they should just ask us for advice.  The release, dated July of this year and released through the Public Intelligence website, covers three security threats and suggested mitigation strategies—which we’ll take a look at below. The preamble also mentions that 44 percent of Android users are still running outdated versions of the OS with known security flaws, and that Android threats make up 79 percent of all known mobile malware.

 

Facebook – New Profile View scam in August 2013

Facecrooks security notes new version of this scam currently circulating.  Facebook does not track who views user profiles (and FB users should avoid this)

http://facecrooks.com/Scam-Watch/Your-Recent-Profile-Viewers-Facebook-Scam.html

QUOTE: First off, the sketchy domain name you are redirected to should be a huge red flag. If you choose to continue then you are taken to a Facebook application login screen. We decided to stop here, but it’s pretty safe to assume that you are logging in to a rogue app and this is how the scam is spreading from user to user.  It’s important to remember that anything offering to show you who has viewed or visited your profile is certain to be a scam. Facebook doesn’t allow developers access to the data required to create such apps or extensions.

Scam Message: Your Recent Profile

Viewer’s Scam Type: Profile Viewer, Rogue Facebook Application

Trending: August 2013

Why it’s a Scam: Clicking the scam link takes you to a malicious website outside of Facebook

Facebook shares that they do not track you views user web pages.

https://www.facebook.com/help/210896588933875#Can-I-know-who’s-viewing-my-profile-(timeline)-or-how-often-it’s-being-viewed

NY Times and Twitter outages – Details of August 2013 attack

A highly realistic email phishing attack led to compromises in website and DNS settings by hackers as described in links:

http://www.theverge.com/2013/8/28/4668346/new-york-times-twitter-hack-linked-to-phishing-email-syrian-electronic-army

http://blog.cloudflare.com/details-behind-todays-internet-hacks

QUOTE:  The dust is still settling from yesterday’s attacks on Twitter and the New York Times, but observers have already gained valuable insight into the methods that made the hacks possible. The LA Times is reporting that the hacks originated with a phishing email sent by the Syrian Electronic Army to the CTO of MelbourneIT, the DNS registrar for both Twitter and the New York Times. The emails were convincing enough to trick one of Melbourne’s resellers into giving up login credentials, which gave the hackers a crucial opening. From there, they were able to acquire the credentials of one of MelbourneIT’s resellers, and go to work redirecting NYTimes.com visitors to the SEA’s own IP address

A Cloudflare post went into more detail on the aftermath of the hack, in which the Times called in outside help from Google, Cloudflare and OpenDNS. The bad records entered by the hackers quickly moved upstream to Verisign, the top-level registrar for nytimes.com, which resulted in major outages and redirections. Strangely, MelbourneIT was unable to fix the registry itself, so the team went to work at every level of the DNS system, from Verisign’s top-level registry to the various servers connecting Verisign to MelbourneIT.

Social Engineering Safety – Corporate Best Practices from DefCon 2013

Trend Micro provides an excellent recap in this post:

http://blog.trendmicro.com/trendlabs-security-intelligence/how-can-social-engineering-training-work-effectively/

QUOTE: One particular aspect of DEF CON that always gets some media coverage is the Social Engineering Capture the Flag (SECTF) contest, where participants use nothing more than a phone call to get victims at various Fortune 500 to give up bits of information. These are the sort of social engineering attacks that give security professionals at large enterprises nightmares.  These same professionals may be in charge of programs meant to train employees on how to avoid social engineering attacks, but many of these programs are not as effective as they can and should be. What are some of the things that organizations can do to improve these programs?

1. Give these programs a good name.  It keeps training programs – and their lessons – in the minds of users.

2. Put users on the other side of the attack – teach them basic social engineering.  By putting employees in the role of the attacker, they can understand how to spot an attack and that any data is valuable to a social engineer – not just what would normally be considered “sensitive.”

3. Don’t forget the value of “no”. A very effective tactic used by social engineers is veiled threats that if the target doesn’t do what they are asked, their boss will hear about it and be angry. (employees should not be penalized for being reluctant to share sensitive information over phone or email)

4. Implement “social” penetration testing – i.e., having someone play the role of an attacker and trying to socially engineer employees.

Microsoft – Security Intelligence Report desktop search application

A new application for Windows 7 /8 has just been released that fully indexes all 800 pages into a searchable format. This is an excellent resource for security professionals

http://blogs.technet.com/b/security/archive/2013/08/14/new-microsoft-security-intelligence-report-application-for-windows.aspx

QUOTE: Today we are pleased to announce the availability of a new Microsoft Security Intelligence Report (SIR) desktop application. This app works on Windows 7 and Windows 8 and is designed to provide our readers with an enhanced way to access the vast amount of threat intelligence contained in the SIR.  Here’s a summary of the new SIR app’s key features. All content in one convenient place – The app includes all 800+ pages of content from SIR Volume 14, the latest volume of the report, and is fully searchable.  This makes it easy to find every mention of a particular threat or country/region.

DOWNLOAD – Security Intelligence Report desktop search application

http://www.microsoft.com/en-us/download/details.aspx?id=39929