Security Protection – Harry Waldron MVP Rotating Header Image

May, 2014:

Microsoft Surface Pro 3.0 – in depth review

This Computer World evaluation shares a comprehensive review of latest version

http://www.computerworld.com/s/article/9248650/Surface_Pro_3_deep_dive_review_Has_Microsoft_finally_got_it_right_

QUOTE: However, if you think of the Surface Pro as a laptop plus tablet, things look better. You’ll have to buy a Surface Pro Type Cover for $130, putting the total starting price at $930. That’s not a bad price for a premium laptop that doubles as a tablet — in fact, it’s just about the same price as the $899 starting price for the 11-in. MacBook Air, yet gives you more display real estate, a touch screen and a pen. On the other hand, the MacBook Air’s keyboard is superior to the one on the SurfacePro Type Cover.  So will this be the tablet-laptop combo that convinces you to use Windows 8 if you’re not already committed to it? No. But this machine shows that a tablet-laptop combo is not as much of a Rube Goldberg mashup as you might have imagined. It even makes sense. With each iteration, the Surface line improves. Microsoft still hasn’t quite nailed it yet. But it’s getting close. If it closes the app gap, the Surface Pro 3 could be a big winner.

Malware – Cryptolocker corporate lessons learned analysis

A “Lessons Learned” evaluation from ISC is shared with two valuable recommendations

https://isc.sans.edu/forums/diary/Cryptodefense+infection+some+lessons+learned/18165

QUOTE: Cryptodefense made its appearance around February this year on the back of the success of Cryptolocker. The basics remain the same though and once infected the malware searches out PDF, doc(x), jpg and a few more document types and encrypts those. Files are encrypted using a RSA 2048 bit key which is placed in the user’s AppData Directory. The impact of this particular malware can be devastating.  Looking at what is left of the hard drive every directory that looks like it may have documents or pictures in it has been touched.  This includes things like dropbox and network shares. In an incident elsewhere earlier in the year external harddrives were also encrypted.

So what were the lessons learned in this instance?  Well for starters backups are your friend.  In this particular instance the organization had good backups of the files on the servers.   The other lesson learned was to take AV responses more seriously.  Just because the AV says it has cleaned something does not necessarily mean that everything is gone, only the bits it knows about.

Malware – Cryptolocker attack uses fake Australian Electric Bill

Cryptolocker is a highly destructive attack that can permanently encrypt files so they cannot be recovered without paying for a key to unlock.  This new attack is well described and realistic enough to trick some users.

https://isc.sans.edu/forums/diary/Fake+Australian+Electric+Bill+Leads+to+Cryptolocker/18185

https://www.virustotal.com/en/file/ad9692b0d589faf72121e4c390138dfe872fe913f73dd1edb699e60bab38f875/analysis/

QUOTE: The e-mail claims to come from “Energy Australia”, an actual Australian utility company, and the link leads to malicious site with similar name. The first screen presented to the user asks the user to solve a very simple CAPTCHA. This is likely put in place to hinder automatic analysis of the URL: The “bill” itself is a ZIP file that includes a simple ZIP file that expands to an EXE. Virustotal shows spotty detection.  Once downloaded and unzipped, the malware presents itself as a PDF.  But then, as soon as the malware is launched, it does reveal it’s true nature

Encryption – Open Source TrueCrypt warns of safety issues

The Open Source TrueCrypt product and website encourage users to seek alternatives as some compromises to user safety may have been discovered.  There is not a lot known about these warnings so far.  Further developments are likely to emerge later.

http://securitywatch.pcmag.com/security/324131-truecrypt-shut-down-what-to-use-now-to-encrypt-your-data

http://grahamcluley.com/2014/05/truecrypt-insecure/

https://isc.sans.edu/forums/diary/True+Crypt+Compromised+Removed/18177

QUOTE: If you use TrueCrypt to encrypt your data, you need to switch to a different encryption software to protect your files, and even whole hard drives. The open source and freely available TrueCrypt software has been popular for the past ten years because it was perceived to be independent from major vendors. The creators of the software have not been publicly identified. Edward Snowden allegedly used TrueCrypt, and security expert Bruce Schneier was another well-known supporter of the software. The tool made it easy to turn a flash drive or a hard drive into an encrypted volume, securing all the data stored on it from prying eyes.

The mysterious creators abruptly shut down TrueCrypt on Wednesday, claiming it was unsafe to use. “WARNING: Using TrustCrypt is not secure as it may contain unfixed security issues,” read the text on TrueCrypt’s SourceForge page. “You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform,” the message said. “It’s time to start looking for an alternative way to encrypt your files and hard drive,” wrote independent security consultant Graham Cluley.

TrueCrypt alternatives are noted in following link:

http://grugq.tumblr.com/post/60464139008/alternative-truecrypt-implementations

Point-of-Sale Security – Global Botnet affects 1500 computers in 36 countries

Computer World documents a small but highly sophisticated botnet below:

http://www.computerworld.com/s/article/9248541/Researchers_find_a_global_botnet_of_infected_PoS_systems

QUOTE: The botnet contained almost 1,500 compromised point-of-sale and other retail systems from 36 countries, researchers from IntelCrawler said.  Security researchers uncovered a global cybercriminal operation that infected with malware almost 1,500 point-of-sale (POS) terminals, accounting systems and other retail back-office platforms from businesses in 36 countries. The infected systems were joined together in a botnet that researchers from cybercrime intelligence firm IntelCrawler dubbed Nemanja. The researchers believe the attackers behind the operation might be from Serbia.  The size of the botnet and the worldwide distribution of infected systems brings into perspective the security problems faced by retailers from around the world, problems that were also highlighted by the recent PoS breaches at several large U.S. retailers.

Ransomeware – Prevention and Cleaning tips

KME Systems offers advice for encryption attacks that can permanently damage files with 1024 bit key strength

http://kmesystems.com/a-new-form-of-ransomware-targets-mac-computers-as-well-as-pcs/

QUOTE: Backup your files before Cryptolocker infects your computer. Due to the popularity of these ransomware viruses, PC and Mac users should regularly backup their files. Once the malware has infected a computer, there’s no way to restore access to those encrypted files. At that point, the best option would be to have your IT department reformat the computer and restore files from a previously saved backup set. You can also attempt to decrypt your files on your own as an alternative to paying a fine or if you don’t have an IT department.

For Mac Users: Click on the Safari menu and choose “reset Safari.” Make sure all check boxes are selected or hold the Shift key down while re-launching Safari. This prevents Safari from reopening windows and tabs from your previous session. In addition, disable the reopening feature across OS X from the “General” setting in “System Preferences.”

For PC Users: Turn your computer off, and restart in “safe mode.” Then, follow Windows instructions to do a “System Restore.”  If the above tips for decrypting your files fail to work, and you or your IT department is unable to solve the problem, many sources have reported that paying the fine actually does result in a decryption key. However, paying the fee does result in funding for cybercriminals, which helps them create even more viruses.

Desktop Systems – How to safely clean inside

This CNET forum post offers informative cleaning tips:

http://forums.cnet.com/7723-6121_102-619335/how-do-you-safely-clean-the-inside-of-your-desktop-computer

QUOTE:  I noticed that my computer box vents were grossly blocked by a blanket of dust. Even the back of my computer where all the cords are connected to it was covered with dust and spider webs. OK, I’ll admit I’m not a clean freak, and to be perfectly honest, I have never visually checked my physical computer up close since I had purchased it. I did some wiping on the exterior of my computer, but that only got me so far, as I could still see a lot dust on the fans in the inside. I did manage to buy one those canned air, but spraying it from the outside cleared the vents, but now all the dust is inside. I desperately want to open the computer up, but I’m not sure how to.

Several great tips can be found in forum posts attempting to answer this question.

Ransomeware – New Variant infects vulnerable Apple Mac systems

KME Systems has informative blog and note that Apple Mac systems should safeguard from new malware attacks circulating in wild

http://kmesystems.com/a-new-form-of-ransomware-targets-mac-computers-as-well-as-pcs/

http://kmesystems.com/category/blog/

QUOTE: Ransomware is malware used specifically for cyber data kidnapping. Cryptolocker, an updated form of ransomware, is used by cybercriminals to encrypt a victim’s data with a strong 1,024-bit algorithm.  The cybercriminal then demands payment from the victim to obtain the decryption code.

Microsoft EMET 4.1 – May 2014 Update

A new version of the Microsoft Enhanced Mitigation Experience Toolkit 4.1 is now available:

http://www.microsoft.com/en-us/download/details.aspx?id=41138

QUOTE: EMET 4.1 Update 1 release includes new functionality and updates, such as:

* Updated default protection profiles, Certificate Trust rules, and Group Policy Object configuration.

* Shared remote desktop environments are now supported on Windows servers where EMET is installed.

* Windows Event logging mechanism allows for more accurate reporting in multi-user scenarios.

* Addressed several application-compatibility enhancements and  mitigation false positive reporting.

Passwords – Popular Website policies evaluated

It is important to set strong passwords even if a website’s password policy does not require it.  Ending a password with an “*” or “$” is one good technique, along with using differing passwords for each website.  This article evaluates strong and weak password protection policies among major websites.

http://securitywatch.pcmag.com/security-software/323808-popular-websites-password-policies-leave-consumers-exposed

QUOTE: Dashlane’s researchers analyzed the password policies of more than 80 popular websites, awarding points for policies that improve security and deducting points for risky policies. For example, a site that sends a confirmation email after password change earns 10 points, but a site whose notification includes the password in plain text loses 30 points. A site that accepts passwords of three character or shorter loses 5 points; one that requires at least eight characters gains 20 points.

The possible range of scores runs from a perfect 100 points down to a dismal -100 points. Dashlane considers a site reasonably secure if it earned at least 50 points. Only 14 percent of the surveyed sites managed that feat, and 53 percent earned negative scores. Unless forced to do better by a site’s password policies, many people still use terrible passwords like “password,” “123456,” and “qwerty.” Dashlane identified the ten worst offenders and dinged each site by 2.5 points for each that was accepted. More than 40 percent of the sites accepted all ten. A handful blocked almost all, but tripped up on “abc123.”