Security Protection – Harry Waldron MVP Rotating Header Image

July, 2014:

Microsoft EMET v5.0 Release

Microsoft has just released version 5.0 of the EMET security tool

http://blogs.technet.com/b/msrc/archive/2014/07/31/general-availability-for-enhanced-mitigation-experience-toolkit-emet-5-0.aspx

http://blogs.technet.com/b/srd/archive/2014/07/30/announcing-emet-v5.aspx

 
First, the new Attack Surface Reduction (ASR) mitigation provides a mechanism to help block specific modules or plug-ins within an application, in certain conditions. For example, customers can now configure EMET to prevent their browser from loading Java plug-ins on external websites, while still continuing to allow Java plug-ins on their internal company websites. Second, the brand new Export Address Table Filtering Plus (EAF+) mitigation introduces two new methods for helping disrupt advanced attacks. For example, EAF+ adds a new “page guard” protection to help prevent memory read operations, commonly used as information leaks to build exploitations. EMET 5.0 offers new user interface (UI) options so that customers can configure how each mitigation applies to applications in their environment, taking into account their enterprise frameworks and requirements. For example, users can configure which specific memory addresses to protect with the HeapSpray Allocation mitigation using EMET 5.0. We continue to provide smart defaults for many of the most common applications used by our customers.

More on Enhanced Mitigation Experience Toolkit (EMET) can be found here:

http://technet.microsoft.com/en-us/security/jj653751

 
The Enhanced Mitigation Experience Toolkit (EMET) is designed to help customers with their defense in depth strategies against cyberattacks, by helping detect and block exploitation techniques that are commonly used to exploit memory corruption vulnerabilities. EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software. EMET benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives.

EMET 5.0 security toolset is available as free download from the HOME PAGE located below:

http://www.microsoft.com/emet

Facebook – Account Enable Account Scam JULY 2014

Malwarebytes warns of phishing scam circulating that has an FB-like address that attempts to capture personal and even credit card information

http://blog.malwarebytes.org/fraud-scam/2014/07/enter-details-here-to-enable-your-account/

 
Here’s one in-the-wild phishing campaign that we spotted homing in on users. Unfortunately, we couldn’t trace back the origin of this campaign; however, it’s highly likely that it started off as an email pretending to be a notification. As such, be wary of any received emails containing URL(s) that may lead you to a name similar to Facebook but malicious in nature Apart from asking for email address and password—credentials used to access a Facebook account—from the user, it also wants to get his/her webmail and corresponding password, date of birth, security question and answer, and country of origin—information that are irrelevant at best when enabling disabled accounts in general. A “Payment Verification” page when users only want their accounts enabled? Uh-oh. Unfortunately, this section cannot be skipped, which effectively forces users to make them think they’re “buying” Facebook Credits—perfect excuse to ask for payment details. Finally clicking “Confirm” after filling in credit card details opens the legitimate Facebook page on users’ “Statement of Rights and Responsibilities“.

Mobile Security – Major Security threats to be shared at Black Hat conference next week

Widespread vulnerabilities discovered in client control software affecting smartphone platforms will be shared at next weeks conference

http://www.darkreading.com/mobile/new-mobile-phone-0wnage-threat-discovered/d/d-id/1297686
Rogue cellular towers and phony base stations long have been a tradition of researchers at Black Hat and DEF CON, who test and demonstrate how they can intercept or manipulate cellphones, but a team of researchers has found a deeper problem of major security vulnerabilities in the client control software running on the majority of mobile phones around the world. Accuvant Labs researchers Mathew Solnik and Marc Blanchou — who will provide details and demonstrations of their findings next week at Black Hat USA in Las Vegas — say they found a variety of serious flaws in the software that sits on Android, BlackBerry, and Apple iOS smartphones and embedded devices that handle everything from firmware, cell network baseband parameters, CDMA settings, and LTE settings, to device-wiping, Bluetooth, GPS, encryption, software activation, and battery monitoring, among other functions. Attackers using a rogue base station could exploit these flaws to wrest control of the mobile devices themselves, or remotely spread malware on devices connecting to the station, for example. “The attacks require more or less a rogue femtocell, or base station,” says Solnik, a research scientist with Accuvant. Such hardware is relatively simple to acquire: He and Blanchou purchased a base station for under $1,000 for their research, and were able to conduct their proof-of-concept attacks anywhere from 30 feet to 30 yards away from the targeted phones.

Leadership – Examples from NASA moon landing in 1969

John Maxwell shares excellent leadership guidance in following post:

http://www.johnmaxwell.com/blog/traveling-to-infinity-and-beyond-means-leaving-self-centeredness-behind

 
Forty-five years ago, on July 20, 1969, astronauts Neil Armstrong and Buzz Aldrin accomplished a feat considered impossible for much of human history. Escaping the gravitational pull of the earth, and soaring beyond its atmosphere, they were the first persons to set foot on the moon. Their successful mission was the crowning achievement of NASA’s space program. Similar to space explorers, leaders desire to expand the frontiers of their industry, to reach higher levels of influence, and to go beyond what has been previously accomplished. For them, the primary challenge isn’t defying gravity but denying the self. Journeying to significance means going beyond the limitations of self-interest by way of servanthood.

Going Beyond Yourself Means…


1) Seeing Beyond Yourself 2) Growing Beyond Yourself 3) Giving Beyond Yourself 4) Gathering Beyond Yourself


Aside from that, a leader has to offer others a vision that


1) compellingly solves a significant problem 2) expresses a sense of urgency 3) is bigger than any one person 4) is connected to a realistic strategy 5) is infused with passion.



Even so, people won’t stick with the vision unless you stand by them—supporting their needs, empowering them with responsibility, and sharing the credit for success.

Oracle – Critical Security updates JULY 2014

Users should promptly patch their systems for critical JAVA updates and other products as shared in links below

http://www.intego.com/mac-security-blog/critical-java-patches-misery/

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA

https://blogs.oracle.com/security

 
Oracle, the maker of Java, has released a flood of security patches affecting a wide array of its products.  In all, Oracle has released some 113 security fixes in its July Critical Patch Update, addressing holes in a plethora of products and services. But what most computer users are likely to be interested in are the newly-released security patches for Java.  In total, Oracle’s security update is said to fix 20 vulnerabilities in Java, all of which can be exploited by remote hackers

AntiVirus – Malware Cleanup Test July 2014

Malwarebytes achieved a perfect score in malware cleanup during recent testing by the AV-TEST Institute.

http://securitywatch.pcmag.com/security-software/325924-antivirus-software-for-the-morning-after

http://www.av-test.org/en/news/news-single-view/17-software-packages-in-a-repair-performance-test-after-malware-attacks/

When your antivirus software is nicely installed and integrated with Windows, it has lots of chances to prevent malware infestation. It can block access to the malicious URL, kill the download before it executes, eliminate known malware based on its signature, detect and avert malicious behavior, and so on. But if the malware has already dug in its heels, that’s a different story. An arduous, months-long test by AV-Test Institute evaluated which products do the best cleanup job. Note that even if your antivirus is installed and running, it might miss a brand-new zero-day attack. If later on it gets an update that can detect that zero-day malware, it’s in the same situation as a product installed on an infested system. Well, it’s not quite as bad; at least the malware can’t fight back to prevent the initial antivirus installation.


Facebook – New Buy Button capability being pilot tested

Facebook is testing new e-commerce capabilities that have both security and privacy needs in a social networking environment

http://facecrooks.com/Internet-Safety-Privacy/Facebook-Testing-A-%e2%80%9cBuy%e2%80%9d-Button.html/

https://www.facebook.com/business/news/Discover-and-Buy-Products-on-Facebook-Test

Facebook announced this week that it’s testing a “Buy” button feature on the site that would allow users to make purchases without leaving Facebook. While it’s a good idea, and an inevitability, to combine online retail and social media, many users are likely to be put off by the thought of trusting Facebook with their credit card information. Facebook preemptively addressed those concerns in its press release announcing the new feature, saying: “We’ve built this feature with privacy in mind, and have taken steps to help make the payment experience safe and secure. None of the credit or debit card information people share with Facebook when completing a transaction will be shared with other advertisers, and people can select whether or not they’d like to save payment information for future purchases.” Of course, the site’s move into e-commerce will have plenty of detractors, and Facebook will have to prove it belongs on the same stage as industry giants such as Amazon and eBay. However, with Facebook’s already-massive user base growing every day, there’s no denying that the move will be a hugely profitable one for Facebook. It remains to be seen, however, just how users will react to the potential privacy ramifications.


Facebook Privacy – Ad tracking expands to non-FB sites

Some recent concerns have been raised for expanded ad integration outside of Facebook sites

http://allfacebook.com/trans-atlantic-consumer-dialogue_b133565

    Facebook’s announcement last month that it will include data from non-Facebook websites and applications in its ad preferences tool did not sit well with two privacy advocacy groups. Bloomberg reported that European Consumer Organization Senior Legal Officer Kostas Rossoglou and Center for Digital Democracy Executive Director Jeff Chester sent a letter to the Federal Trade Commission, announcing their formation of the Trans Atlantic Consumer Dialogue and calling on the agency to launch a probe of the social network’s practices.


Facebook Security – Instagram on public Wi-Fi risk

This article warns of a security flaw between the two social networks that can be compromised in certain circumstances.

http://www.cio.com/article/2459062/using-instagram-on-public-wifi-poses-risk-of-an-account-hijack-researcher-says.html

A configuration problem in Facebook’s popular Instagram application for Apple devices could allow a hacker to hijack a person’s account if they’re both on the same public Wi-Fi network. Stevie Graham, who describes himself as a “hacker at large” based in London, wrote on Twitter that Facebook won’t pay him a reward for reporting the flaw, which he said he found years ago. Graham wrote he hopes to draw more attention to the issue by writing a tool that could quickly compromise many Instagram accounts. He cheekily calls the tool “Instasheep,” a play on Firesheep, a Firefox extension that can compromise online accounts in certain circumstances. “I think this attack is extremely severe because it allows full session hijack and is easily automated,” according to Graham’s technical writeup. “I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.”


Security – 2014 Dell Study of Data centric security model

A security model that centers around the embedding security within the data itself, rather than today’s focus on users, devices or operating systems might emerge in future.

http://www.cio.com/article/2457657/data-protection/security-must-evolve-to-be-all-about-the-data.html

But there was little debate Thursday morning in Boston at a panel discussion among Dell security experts, partners, analysts and customers that the
    digital equivalent of GMO protection embedded in data will be more than just a good thing – it will be mandatory to sustain any credible level of security into the future.
And while it is notoriously difficult to predict just about anything in IT, the panelists agreed with Don Ferguson, Dell senior fellow, vice president and CTO of the Dell Software Group, that a security model for applications that, “has not changed in decades doesn’t sustain us.” That model, which, “relies on the program to identify the person and what is the operation,” is now obsolete, he said. “Data are everywhere, on the device, in the cloud, moving around. You can’t find all the places that are moving it around, so data need to be self-protecting. And existing apps are not coded that way.” Changing that model, said Patrick Sweeney, executive director at Dell SonicWALL, would, “solve the BYOD problem.”