Security Protection – Harry Waldron MVP Rotating Header Image

January, 2014:

EMAIL SPAM – ZIP Attachments surge in JAN 2014

As ZIP files are difficult to process by Anti-Spam security tools and even by some AV defense systems, SPAM attacks continue to use approach and users should be careful if files of this type are received unexpectedly

http://www.symantec.com/connect/blogs/zip-attachment-spam-makes-grand-return

QUOTE: After a long hiatus, spammers are once again using an old trick, where they attach a .zip file to trick the user into executing the compressed malware. The chart below shows the number of spam messages with .zip attachments over the last 90 days in Symantec’s Global Intelligence Network (GIN).  While these examples have different file names and MD5s, they all carry the same malware, identified by Symantec as Trojan.Zbot. This Trojan has primarily been designed to steal confidential information from the compromised computer. It appears that the large attack has subsided for now, as the spam volume returned to normal levels after January 10, but it is just a matter of time before spammers organize another large campaign. Users should keep their antivirus software up-to-date and should not open attachments from unknown sources.

FBI WARNING – More credit card breaches probable

Credit card holders should carefully check statements and if directly notified of breach, they should change their account information.  FBI notes these sophisticated attacks most likely impacted more than 3 major retailers.

http://www.itpro.co.uk/data-leakage/21463/fbi-warns-of-more-credit-card-breaches

QUOTE: Target hack likely to just be the beginning. The FBI has warned US retailers to prepare for more cyber attacks after discovering about 20 hacking cases in the past year that involved the same kind of malicious software used against Target in the holiday shopping season. The US Federal Bureau of Investigation distributed a confidential, three-page report to retail companies last week describing the risks posed by “memory-parsing” malware that infects point-of-sale (POS) systems, which include cash registers and credit-card swiping machines found in store checkout aisles.

Microsoft Security Research – Mitigating Exploits (JAN 2014)

Details can be found in this informative research report issued by Microsoft security:

http://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigating-common-exploitation-techniques.aspx

QUOTE: In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption, heap corruption, and unsafe list management and reference count mismanagement. These mitigations are typically associated with a specific developer mistake such as writing beyond the bounds of a stack or heap buffer, failing to correctly track reference counts, and so on. As a result, these mitigations generally attempt to detect side-effects of such mistakes before an attacker can get further along in the exploitation process, e.g. before they gain control of the instruction pointer.

Another approach to mitigating exploitation is to focus on breaking techniques that can apply to many different classes of memory safety vulnerabilities. These mitigations can have a broader impact because they apply to techniques that are used further along in the process of exploiting many vulnerabilities. For example, once an attacker has gained control of the instruction pointer through an arbitrary vulnerability, they will inherently need to know the address of useful executable code to set it to. This is where well-known mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) come into play – both of which have been supported on Windows for many releases now. When combined, these mitigations have proven that they can make it very difficult to exploit many classes of memory safety vulnerabilities even when an attacker has gained control of the instruction pointer.

Yahoo email attack – Known accounts quickly reset

Yahoo quickly took action on all known security breaches from 3rd party sites, by resetting passwords.  When any security breach takes place it is beneficial for all users to reset passwords

http://thenextweb.com/insider/2014/01/30/yahoo-warns-unauthorized-access-mail-accounts-adds-second-sign-safety-measures/

QUOTE: Users of Yahoo mail should be aware of a security issue with the email service. Yahoo acknowledged that it has identified a “coordinated effort” by some person or group to gain “unauthorized access” to accounts. The company didn’t state how many accounts were affected, but it turns out that those impacted have been prompted to reset their passwords.

Yahoo was clear to state that it has no evidence that the attempted hacking attack came as a result of its systems being compromised. It turns out that malicious computer software was the culprit that helped someone obtain names and email addresses from affected accounts’ most recent sent emails. The company said that it was likely from a third-party database that featured the list of usernames and passwords.  So what’s being done? Yahoo is resetting passwords and implementing second sign-in verification. The company is also working with federal law enforcement agencies to find out who is responsible. Additional measures are also being implemented to help secure Yahoo’s systems.

Target Security Breach – Stolen Vendor Credentials used

Investigators are piecing together more of the puzzle, as security forensic analysis continues:

http://www.itpro.co.uk/hacking/21500/target-hackers-used-stolen-vendor-credentials-to-gain-access

QUOTE: US retailer Target said on Wednesday that the theft of a vendor’s credentials helped cyber criminals pull off a massive theft of customer data during the holiday shopping season in late 2013.  It was the first indication of how networks at the third largest US retailer were breached, resulting in the theft of about 40 million credit and debit card records and 70 million other records with customer information such as addresses and telephone numbers. “The ongoing forensic investigation has indicated that the intruder stole a vendor’s credentials, which were used to access our system,”

Network Security 2014 – Be proactive and PENTEST for security exposures

Corporations should perform Network Vulnerability assessments and internal PENTESTs on quarterly basis for security exposures.  Annually, a highly experienced security firm can perform more in-depth testing as needed.  Corporations must actively search for weaknesses in their security defenses, as the bad guys are actively engaged in the same process. It’s always better for security team to discover and mitigate these risks before any damages occur. 

http://www.itproportal.com/2014/01/28/why-your-business-should-practice-proactive-network-security/

QUOTE: Proactive network security should be the norm rather than the exception, and to understand why, think about the risks: What would happen if your network or PCs went down for hours? Days? The answer could range from inaccessible files to a near-complete business standstill.  A network security audit follows nearly the same methodology as an attack. First, the attacker scans the network to determine IP addressing of networks and hosts. An attacker would start from the outside and work his way in by uncovering IP addresses from DNS queries. You’ve got a head start because you already know your IP addressing scheme; it’s just a matter of conducting a quick scan (also called a sweep) to determine which IP addresses are in use.

There are many ways to go through the audit. I like to use a combination of free and commercial tools. The best known free network scanning tools are Nmap and Nessus. Of those two, Nmap is easier to install and use, but Nessus has better reporting. Also check out McAfee’s SuperScan network scanning tool.Commercial tools I like include GFI LANguard and the eEye 1505 Security Management Appliance. If you’re willing to spend the money, in return you’ll get more information about each vulnerability and its remediation – not to mention more polished interfaces, more capabilities, and better reporting.

Corporate Cloud Security – Five key strategies for 2014

http://www.itproportal.com/2014/01/31/how-to-navigate-the-cloud-5-simple-steps-to-creating-an-effective-cloud-security-strategy/

Security is one of the most commonly mentioned barriers preventing companies from taking advantage of cloud computing. Yet some experts say the cloud could and should be more secure than in-house IT. So how should organizations considering cloud services ensure they maintain security, and what are the key issues to protect data?

1. Taking a risk-based approach to cloud security

2. Identifying what to put in the cloud

3. Identifying data risks in the cloud

4. Take into account your other IT systems

5. Choosing a secure cloud provider

Sarbanes-Oxley Standards – PCI DSS 3.0 Compliance With COBIT 5

COBIT standards are among recommended IT best practices that can help meet these stringent audit requirements. The 3rd of 4 articles in JAN 2014 newsletter is very timely.  All 4 articles are excellent guidelines for security and audit professionals in corporate setting.


 

Supporting PCI DSS 3.0 Compliance With COBIT 5
By Stefan Beissel, Ph.D., CISA, CISSP


The Payment Card Industry Data Security Standard (PCI DSS) aims to improve the security of cardholder data and is required when cardholder data or authentication data are stored, processed or transmitted. The implementation of enabling processes from COBIT 5 can support compliance to PCI DSS1. COBIT 5 assists enterprises in governance and management of enterprise IT (GEIT) in general and, at the same time, supports the need to meet security requirements with enabling processes and management activities. The mapping of COBIT 5 enabling processes to PCI DSS 3.0 security requirements facilitates the simultaneous application of COBIT 5 and PCI DSS 3.0 and helps create synergies within the enterprise.

PCI DSS 3.0


PCI DSS was released by the PCI Security Standards Council (PCI SSC), a panel of five global payment brands—American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS also includes requirements for data security and related audit methods. In particular, the primary account number (PAN) is the defining factor in the applicability of PCI DSS requirements.


Link for full JAN 2014 newsletter


World Cup 2014 – please be careful with Malware attacks

Kaspersky Labs warns of WC 2014 email, phishing, and social media attacks

http://www.securelist.com/en/blog/208216028/World_Cup_fake_tickets_fake_giveaways_real_attacks

QUOTE: The storm of phishing and malware attacks using the theme of the World Cup continues – some months ago we registered several malicious campaigns with this theme. To diversify the attacks and attract more victims, Brazilian cybercriminals decided to invest their efforts to spread fake giveaways and fraudulent websites selling tickets for the games at very low prices, tickets that in fact do not exist.

Security Breaches – 2013 was record setting year

As PC Magazine reflects 2013 was a record setting year for Security Breaches:

http://securitywatch.pcmag.com/security/320072-data-breaches-hit-all-time-high-in-2013

QUOTE: Target, Neiman Marcus, and Adobe. This past year was pretty rough for them. Was there anything they could have done to avoid the mess of security breaches? Well, yes actually. According to the Online Trust Alliance (OTA)’s latest report, these companies should’ve had better security controls and practices in place.

What Was Discovered – OTA’s findings included a number of noteworthy statistics. The non-profit estimated that over 740 million records were exposed in 2013 alone, making it the worst year for data breaches to date. Out of all these attacks, a whopping 89 percent could have been prevented if companies had simply employed basic, effective security measures.

Companies, Pay Attention! – Other useful tips include the use of email authentication to check on inbound email and avoid malicious, phishing emails. Companies should encrypt all sensitive information in order to better protect it. Keeping detailed logs is crucial to determine the severity of a security breach on a company. It’s important for companies and organizations to back up and protect their logs from attack. Each company should additionally have an incident response team and develop a Data Incident Plan.