Security Protection – Harry Waldron MVP Rotating Header Image

August, 2014:

Microsoft Security Update MS14-045 reissued on AUG 27th

http://support.microsoft.com/kb/2993651


http://blogs.technet.com/b/msrc/archive/2014/08/27/security-bulletin-ms14-045-rereleased.aspx

http://www.zdnet.com/microsoft-reissues-flawed-windows-security-update-7000033049/

 
A new version of MS14-045 has been pushed to Windows Update and the Download Center. Microsoft strongly recommends that users uninstall the old version first. Microsoft today re-released the updates for security bulletin MS14-045. This update had been released on the August Patch Tuesday, August 12, but withdrawn later in the week after user reports of blue screen crashes and disabled systems.

At the same time Microsoft withdrew MS14-045, it withdrew three non-security updates, KB2970228, KB2975719 and KB2975331. None of those have been reissued and we have no further information on them.  A blog entry from Tracey Pretorius, Director of Microsoft Trustworthy Computing, implies that the problem was released to a change in the release schedules for non-security updates.


Hewlett-Packard – 6 million AC power cords recalled

DETAILS from HP site below on free trade in

http://h30652.www3.hp.com/

http://money.msn.com/business-news/article.aspx?feed=AP&date=20140826&id=17884547

 
HP is recalling about 5.6 million notebook computer AC power cords in this country and another 446,700 in Canada because of possible overheating, which can pose a fire and burn hazard. Consumers are advised to immediately stop using and unplug the recalled power cords and contact Hewlett-Packard to order a free replacement. Consumers can continue using the computer on battery power. Hewlett-Packard can be reached at 877-219-6676 from 10 a.m. to 7 p.m. ET Monday through Friday or online at www.hp.com and click “Recalls” at the bottom of the page for more information.

Leadership – Probing Questions to gather details

The John Maxwell Leadership blog shares ideas related to preperation of questions when interviewing business professionals

http://www.johnmaxwell.com/blog/questions-to-ask-during-a-learning-session

QUOTE: Larry King, who has made his living speaking to people as a television talk show host, believes that asking questions is the secret of good conversation. He says, I’m curious about everything, and if I’m at a cocktail party, I often ask my favorite question: “Why?” If a man tells me he and his family are moving to another city: “Why?A woman is changing jobs: “Why?” Someone roots for the Mets: “Why?”

The meetings I look forward to most are the learning lunches I schedule every month with people who can teach me. When we meet, I come armed with questions. Many are specific to the individuals I’m meeting with. But there are some questions I try to ask everyone. You may want to use them too:

1. What is the greatest lesson you have learned? By asking this question I seek their wisdom.
2. What are you learning now? This question allows me to benefit from their passion.
3. How has failure shaped your life? This question gives insight into their attitude.
4. Who do you know whom I should know? This allows me to engage with their network.
5. What have you read that I should read? This question directs my personal growth.
6. What have you done that I should do? This helps me seek new experiences.
7. How can I add value to you? This shows my gratitude and desire to add value to them.

Data Breach – UPS impacted by malware in 24 states

UPS and authorities continue to investigate a data breach from a major malware infection removed on August 11, 2014

http://www.theupsstore.com/security/Pages/default.aspx

 
An assessment by The UPS Store and the IT security firm revealed the presence of this malware on computer systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States. Based on the current assessment, the earliest evidence of the presence of this malware at any location is January 20, 2014. For most The UPS Store locations, based on our current assessment, the period of exposure to this malware began after March 26, 2014. This malware was eliminated as of August 11, 2014 and customers can shop securely at The UPS Store.

Word Press Security – New XMLRPC Brute force password attacks

Strong password controls are recommended at Word Press sites to ensure safety as major brute force attacks are more actively circulating 

http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html

QUOTE: Brute force attacks against WordPress have always been very common. In fact, Brute Force attacks against any CMS these days is a common occurrence, what is always interesting however are the tools employed to make it happen. You create a website, because it’s super easy these days, publish the content and within a few weeks people try to repeatedly log in. These login attempts come from botnets, they are automated and their goal is simple “break into as many websites as they can by guessing their passwords.” Once they find one that matches, they take over of the site and use it to distribute malware, spam and similar activities.

Here is a small example, from our own honeypots, where we see hundreds of login attempts per day, trying various combinations. The passwords may seem silly, but after going through the most common 200/300 dictionary passwords, they can get into many web sites.

user: admin, pass: admin
user: admin, pass: 123456
user: admin, pass: 123123
user: admin, pass 112233
user: admin, pass: pass123

Originally, these brute force attacks always happened via /wp-login.php attempts, lately however they are evolving and now leveraging the XMLRPC wp.getUsersBlogs method to guess as many passwords as they can. Using XMLRPC is faster and harder to be detected, explaining this change in tactics. This is not to be confused with our post back in March where we reported XMLRPC being used to DDOS websites, oh no, in this instance they are leveraging it to break into websites.

Targeted Attacks – Seven resources to check for new attacks

Trend Labs shares techniques for spotting targeted attacks, which are highly specific and designed to blend into corporate email or other resource functions in a highly legitimate manner. 

http://blog.trendmicro.com/trendlabs-security-intelligence/7-places-to-check-for-signs-of-a-targeted-attack-in-your-network/

http://about-threats.trendmicro.com/us/threat-intelligence/targeted-attacks/

QUOTE:  Targeted attacks are designed to circumvent existing policies and solutions within the target network, thus making their detection a big challenge. As we’ve stressed in our previous entry about common misconceptions about targeted attacks, there is no one-size-fits-all solution against it; enterprises need to arm themselves with protection that can provide sensors where needed, as well as IT personnel equipped enough to recognize anomalies within the network and to act accordingly.

1. Check for Injected DNS Records
2. Audit Accounts for Failed/Irregular Logins
3. Review Security Warning messages and logs
4. Check for Strange Large Files
5. Audit Network Log for Abnormal Connections
6. Abnormal Protocols
7. Increased Email Activity and Spikes

Security – Built on foundation of Trust

As McAfee security shares, “Trust Is the Most Valuable Asset” in protecting information resources

http://blogs.mcafee.com/mcafee-labs/trust-valuable-asset

QUOTE: Traditionally, providing security has been primarily a task of the state, but who should be responsible for safeguarding cyberspace? Who will build trust in it? Most of digital infrastructure is owned and operated by the private sector. Moreover, the majority of actors operating in the field of cybersecurity are private. The state has unique capabilities to provide security and maintain trust among people, for example, by mobilizing its unique resources and by passing and enforcing laws.

Trust is an important ingredient of security. Doubt leads to insecurity, whereas trust builds security. When there is no certainty, people seek additional security measures. In cyberspace, these measures usually refer to technical solutions to particular problems. In other words, security is produced through technology. However, addressing the question of trust this way is only part of the solution. Regulation—standards, laws, treaties, and good practices—that establishes rules of the game for cyberspace is also important. Yet the biggest challenge remains in people’s unawareness and lack of familiarity with digital technology.

It is the shared responsibility of all online actors to reinforce trust in the digital world. Thus it lies on everyone’s shoulders to strengthen cybersecurity. The state does its part by establishing national and international regulation and administrative structures needed for cooperation. It strengthens public-private partnerships and allocates powers both upward and downward to different actors. It strives to normalize people’s relationship to cyberspace and educates them to become smart e-citizens, shares information, provides services online, and counteracts threats in the digital world. It also uses market mechanisms, for example, purchasing power and the creation of incentives for companies, other organizations, and individuals to invest in cybersecurity

Passwords – TrustWave 2014 research report

This study shares that LONGER passwords are more protective than extensive use of special characters in shorter passwords.  Several additional key findings are also shared in this study.

https://gsr.trustwave.com/topics/business-password-analysis/2014-business-password-analysis/

http://securitywatch.pcmag.com/hacking/326374-make-passwords-strong-and-long

 
An automated tool can crack a completely random eight-character password including all four character types such as “N^a&$1nG” much faster than a 28-character passphrase including only upper- and lower-case letters like “GoodLuckGuessingThisPassword”. If for the purposes of this estimate we assume the attacker knows the length of the passwords and the types of characters used, “N^a&$1nG” could be cracked in approximately 3.75 days using one AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack “GoodLuckGuessingThisPassword” using the same GPU. Weak or default passwords contributed to one third of compromises investigated by Trustwave. Therefore, annihilate weak passwords: Implement and enforce strong authentication policies. Educate users on the value of choosing longer pass-phrases instead of simple, predicable, easy-to-crack passwords. Deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user’s mobile phone

Leadership – Focus on Five most needful ingredients for success

Another excellent leadership article from John Maxwell’s blog

http://www.johnmaxwell.com/blog/take-5

 
Leaders should quit agonizing over the wording of an abstract mission statement that almost no one will read and that will have almost zero impact on their people. Instead, they should concentrate their efforts on developing and following a “Rule of 5” for their company.  For leaders, a primary challenge is to identify the five activities most essential to success, and then to practice them daily. The Rule of 5 doesn’t ask: “What are the five things I would like to do.” That’s a question related to passion. Nor does it ask: “What are five things I should like to do? That sort of inquiry uncovers your values. Rather, the Rule of 5 asks: “What are the five things I must like to do in order to be successful?” Over the next week, carve out time to consider the five activities most essential to your success. Use them to create your own Rule of 5. Then, for the next month, take five minutes in the morning, and another five minutes at the end of the day, to review your Rule of 5. This simple exercise will sharpen your focus and speed your progress toward success.

Facebook – Choking game warning issued

Warnings have been issued for young people to avoid this dangerous new act, that is sometimes being promoted by their friends using social networking resources

http://stlouis.cbslocal.com/2014/08/05/deadly-choking-game-spreads-among-teens-on-social-media/

 
The “choking game” has sparked a social media craze with teenagers posting photos and videos of people choking themselves for a brief high that causes people to pass out – or in some cases, causes death.  Thousands of Facebook and Twitter users have revived “The Choking Game” – a thrill-seeking activity that involves strangulation and often fainting in order to induce a temporary feeling of euphoria caused by a lack of oxygen to the brain. Also called the “fainting game,” the oxygen deprivation causes grey-outs that some have deemed near-death experiences. Medical professionals told KTVI-TV that teens cause the self-induced hyperventilation in order to achieve an adrenaline rush.  The game is extremely dangerous; at best, it kills off brain cells and causes participants to faint and lose consciousness. At worst, it’s deadly; according to the nonprofit organization Games Adolescents Shouldn’t Play (GASP), 900 reported deaths have been attributed to the game.