Security Protection – Harry Waldron MVP Rotating Header Image

September, 2014:

LINUX/UNIX Admins – PATCH AGAIN as new BASH Shellshock exploits are emerging

While these brand new vulnerabilities have emerged, they appear to be less “exploitable” from directly tailored environment variables than the original BASH Shellshock exploit.  Still, there is a need for open source administrators to be vigilant and in a “patch now” mode as further developments warrant    

http://www.darkreading.com/vulnerabilities—threats/new-bash-bugs-surface/d/d-id/1316161

QUOTE: If you patched your Linux-based systems before 1:11 a.m. Eastern Daylight Time yesterday for the major Shellshock vulnerability in the Bash function, your work is not done here yet. New bugs have been reported in Bash, so it’s probably time to patch again, security experts warn.

Johannes Ullrich, director of the SANS Internet Storm Center, says the newly discovered Bash vulnerabilities have not been patched, as of this posting: CVE-2014-7186, – 7187, and -6277. The original Bash Shellshock bugs revealed on September 24 — CVE-2014-6271 and CVE-7169 — have been patched and updated in major distributions, according to Ullrich.

The latest bugs in Bash are not one and the same as Shellshock, however. “They are not exploitable via environment variables as far as I know, so the CGI vector that has been a big problem with Shellshock doesn’t seem to apply,” says Ullrich, who is currently performing more testing on the latest findings.

https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725

QUOTE: I just published an updated YouTube presentation (about 15 min in length) with some of the shell shock related news from the last couple days:

YouTube: https://www.youtube.com/watch?v=b2HKgkH4LrQ
​PDF: https://isc.sans.edu/presentations/ShellShockV2.pdf
PPT: https://isc.sans.edu/presentations/ShellShockV2.pptx

Leadership – Inspiring project team with Vision

John Maxwell’s Leadership blog has excellent advice that is applicable for IT projects

http://www.johnmaxwell.com/blog/give-your-dream-a-team

QUOTE: If you’re dreaming big, then the size of your vision will surpass your present abilities. Not only that, but your dream will even dwarf your potential abilities. No matter how much you grow and develop, you won’t ever be able to accomplish the dream alone. One is too small a number to achieve greatness. Every dream needs a team in order to come true. The questions are who to include on the team and how to convince them to join.

Who should I include on my dream team?  Life is especially hard on dreams, and when challenges arise we can be tempted to delay the dream indefinitely or to abandon it altogether. That’s why every dream team has inspirers. These people keep hope alive by providing continual encouragement. They believe in the dream even when you start to doubt it.

There’s a fine line between a dream and a fantasy, and it can be easy to cross. Every dreamer needs honest critics to keep from wandering into make-believe. These constructive critics are not skeptics or cynics; they believe in the dream just as much as you do. However, they’re attuned to reality, and they know that a dreamer who avoids facts and evidence will inevitably lose credibility.

Windows 8.1 Credential Manager – how to access and use

An informative article regarding Windows 8.1 Credential Manager from Tech Republic

http://www.techrepublic.com/article/working-with-windows-8-1s-credential-manager/

 
Whenever you respond to a prompt that essentially asks if you want Windows or Internet Explorer to remember your password, the operating system will then store your user credentials in an encrypted file scheme known as the Windows Vault. Having your credentials stored in this vault allows you to be able to automatically log on to a server/site without first being prompted to provide a username and password. For example, the vault can store credentials and then use them to automatically log you into online services such as Hotmail and OneDrive, Microsoft Office services such as Outlook Web Access for Exchange Server, plus Windows servers and Remote Desktop connections. The GUI front end for this vault is called Credential Manager, and it’s designed to allow you to easily view and manage your network-based logon credentials (i.e., usernames and passwords). In this article, I’ll introduce you to the Windows 8.1’s Credential Manager and explain how it works.

Apple iPhone 6 – over 60 pounds of force to bend

Interesting tests by Consumer Reports that document new iPhone 6 casing holds up with other similar smartphones.

http://www.pcmag.com/article2/0,2817,2469381,00.asp

QUOTE: Apple’s iPhone 6 required less force to ruin than Apple’s iPhone 6 Plus, but more force than what Apple itself has been claiming the iPhones can tolerate. According to those who attended a recent press tour of the company’s “torture lab” for its iPhones, an iPhone 6 can handle at least 25 kilograms of weight—around 55 pounds—in a similar three-point flexural test. Apple maintains the iPhone 6 can actually handle more weight than that, but didn’t specify how much.

According to Consumer Reports’ tests, the iPhone 6 only started to deform, warp, or otherwise look different than it normally does once the test applied 70 pounds of weight to the smartphone. The iPhone 6 Plus held out for slightly longer, deforming at around 90 pounds.

Two days ago, the Internet erupted with photos of bent iPhone 6s, and a very-viral video of a guy creasing an iPhone 6 Plus with his bare hands. It seemed like a serious concern, yet everything about the uproar was highly unscientific. We don’t like unscientific, so we promised then that we would use our lab equipment to find out just how delicate the iPhone 6 and 6 Plus really are.

Hacked Account – Recovery tips for home users SEP2014

Kim Komando shares 5 page guides to recover stolen email or other accounts.  The key links to recovery resources for Facebook and other sites are helpful resources for home users

http://www.komando.com/tips/11269/easily-recover-a-hacked-account

 
Unlike other online accounts, I wouldn’t use online forms to try to get back a hacked bank account. Call the bank or visit your local bank branch immediately. The bank will work with you to change the password and reverse any fraudulent charges. You may have to open up a new account, though. While you’re there, ask about using additional verification features. Most banks have a system that lets you verify any major charge before it’s made. For any online account, a little preparation beforehand makes your account much harder to crack. Check your online account’s security settings often. Make sure you have a rock-solid password and strong security question to keep hackers out.

Linux and Unix – PATCH NOW for Bash Shellshock vulnerability

Informative links below from Internet Storm Center (Webcast, FAQ, and Patch NIX now)

https://isc.sans.edu/forums/diary/Webcast+Briefing+Bash+Code+Injection+Vulnerability/18709

https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707

https://isc.sans.edu/forums/diary/Attention+NIX+admins+time+to+patch/18703

 
 The good news is that it’s an easy fix:  Debian (Ubuntu, etc.): apt-get upgrade bash …. RHEL (Fedora, CentOS, etc.): yum update bash

Apple iOS 8 Upgrade – Eight best practices

This PC Magazine security article shares 8 best practices to ensure a safe update of the new Apple iOS 8 operating system

http://securitywatch.pcmag.com/mobile-security/327506-8-security-tips-for-a-safe-ios-8-upgrade

QUOTE: Apple’s iOS 8 is here. If you’ve got an iPhone, you’re probably champing at the bit to download Apple’s latest and greatest OS. Or perhaps you’ve already pre-ordered an iPhone 6 or 6 Plus and are ready to party with a totally new handset. Either way, now is a great time to spruce up the security of your iOS device.

1. Wait – Don’t try to be among the first adopters and wait a few days until the dust settles
2. Shred It – Wickr’s Shredder feature to sanitize your phone before wiping it when trading in
3. Check Your Security Settings – Optimize your security settings as soon as you update to iOS 8 or get your new iPhone 6
4. Location, Location, Location – right off the bat iOS 8 asks you to enable location services before you can even play with the new OS. Go through the apps that request that data with a fine-tooth comb and deciding which really need the information
5. Medical Condition setup – iOS 8 users should set up a Medical ID. This is a virtual medical ID card that includes information like blood type, organ donor, allergies, and medical conditions.
6. Fingerprint Authentication – Be sure to enable Touch ID if you have an iPhone with a fingerprint reader, and deactivate Simple Passcodes to use a longer, more complex passphrase to unlock your device.
7. Lock Down the Lock Screen –  From the Restrictions section of the General settings, you can hide apps and even prevent apps from being installed or deleted. You can also set which apps can access your microphone, or other intimate settings, and prevent those settings from being changed.
8. Go Nuclear – A strong passcode and Find My iPhone go a long way toward keeping your phone, and its data, secure. But we can go further. Set your iPhone to automatically wipe its contents after 10 failed attempts to enter a security code.

Windows 9 – Preview Announcement set for September 30th

Several articles note that new attributes of the new operating system will be previewed on September 30, 2014

http://www.computerworld.com/article/2683914/microsoft-sets-windows-9-reveal-for-sept-30.html

QUOTE:  Microsoft issued invitations on Monday for a Sept. 30 event where it will unveil the next version of Windows, according to multiple online reports.  The San Francisco press conference will introduce the next iteration of Microsoft’s venerable Windows operating system. Most pundits and analysts expect the OS to be dubbed “Windows 9,” with the company sticking with the numerical moniker of the 2012 predecessor. It has also been known by the code name “Threshold.”

Presumably set for release in the first half of 2015, Windows 9, may be either the last major release of the operating system or the first in a string of smaller, less-ambitious updates as Microsoft accelerates its already too-fast-for-enterprise release schedule.  A revamped Start menu — one that hews more closely to the one in Windows 7 — a de-emphasis of the touch-first “Modern,” née “Metro,” mode and UI (user interface), and the ability to run Modern apps in Windows on the classic desktop have been bandied as Windows 9’s most obvious changes.

The mention of “enterprise” in Microsoft’s invitation bolsters the speculation that Windows 9 will be primarily aimed at business and corporate customers, who have spurned Windows 8 because of its split-UI personality. That, in turn, argues for a surfacing of new features and other changes that make the OS easier to operate and navigate with mouse and keyboard, still the primary input methods for business PCs.

It’s important for Microsoft to make Windows 9 attractive to those customers, Gartner analysts have said, if Microsoft is to convince them to move beyond Windows 7 — which has a lock on the corporate market — in time to avoid a repeat of the Windows XP longevity problem.

Leadership – Key Question to ask during fact gathering

From the excellent Leadership blog by John Maxwell, the key question of “What Do You Think?” is examined

http://www.johnmaxwell.com/blog/my-1-question-for-the-people-around-me

QUOTE:  The simple act of asking the right questions of the right people can provide crucial information, offer clarity and help you make better decisions. That process begins with the questions you ask yourself. It continues with the questions you ask others. When you ask the right questions of people on your team, it not only gives the above benefits, it can also improve your connection with them and demonstrate your openness and teachability.

In my upcoming book, Good Leaders Ask Great Questions, I share the eleven questions that I continually ask members of my team. Today, I’ll talk about the question that I ask my most often: “What do you think?” These words come out of my mouth a dozen or more times every day.

1. Gathering Information – want good information from multiple sources and perspectives
2. Confirming My Intuition – what can you do to validate your belief?
3. Assessing Someone’s Judgment or Leadership – fastest way to assess people’s thinking and observation abilities
4. Teaching How I Think – Why is a great tool for connecting and equipping.
5. Processing a Decision – Sometimes people need a number of different perspectives in order to discover the best choice

Apple – How iPhone 6 compares with iPhone 5s

From the Apple product announcements a head-to-head comparison of both phones are made that highlight new iPhone 6 features and whether it is advantageous to upgrade:

http://www.pcmag.com/article2/0,2817,2468229,00.asp

QUOTE: Previous generations of iPhone have mostly been spec bumps, with the iPhone 5’s screen increase from 3.5 to 4 inches and the new A7 chip in the 5s making most of the news, along with some camera improvements. This time, Apple has released two phones to cover its bases, both with larger screens and the even faster A8 processors.

We won’t know for sure until we get the iPhone 6 in for a full review, but we expect real-world performance to be somewhat similar, at least at first. When app developers start making more complex apps and games to match the A8’s power, you may see some lag on your iPhone 5s, but it’s clear you’d need some pretty serious games to slow the A7 down.

Apart from the screen and CPU, there are also some interesting new features in iOS 8, most notably Apple Pay, which will arrive in October and promises to make mobile payments a more accepted standard. And if any company’s going to do it, it’s Apple. Unfortunately for those with the iPhone 5s, this feature requires NFC, which only the iPhone 6 and 6 Plus will have.