Security Protection – Harry Waldron MVP Rotating Header Image

Uncategorized

FBI – International Corruption squads established

The FBI has just announced improved support to combat fraud on an international basis.

http://www.fbi.gov/news/stories/2015/march/fbi-establishes-international-corruption-squads/fbi-establishes-international-corruption-squads

The FCPA, passed in 1977, makes it illegal for U.S. companies, U.S. persons, and foreign corporations with certain U.S. ties to bribe foreign officials to obtain or retain business overseas. And we take these crimes very seriously—foreign bribery has the ability to impact U.S. financial markets, economic growth, and national security. It also breaks down the international free market system by promoting anti-competitive behavior and, ultimately, makes consumers pay more.

We’re seeing that foreign bribery incidents are increasingly tied to a type of government corruption known as kleptocracy, which is when foreign officials steal from their own government treasuries at the expense of their citizens. (See sidebar for more on kleptocracy). And that’s basically what these foreign officials are doing when they accept bribes in their official capability for personal gain, sometimes using the U.S. banking system to hide and/or launder their criminal proceeds.

The FBI—in conjunction with the Department of Justice’s (DOJ) Fraud Section—recently announced another weapon in the battle against foreign bribery and kleptocracy-related criminal activity: the establishment of three dedicated international corruption squads, based in New York City, Los Angeles, and Washington, D.C

Kleptocracy 101 – A kleptocracy—loosely translated from Greek as “rule by thieves”—is a form of political or government corruption involving officials who steal from their government treasuries to enrich their own personal wealth. Both cases mentioned above were opened under DOJ’s Kleptocracy Asset Recovery Initiative, which—in coordination with the FBI and other federal agencies—seeks to forfeit the proceeds of corruption by foreign officials and, where appropriate, use the recovered assets to benefit the people harmed by the acts of corruption. Both cases, investigated by the FBI, are prime examples of kleptocracy-related criminal activity: Through bribes and other schemes, these “kleptocrats” stole money from their own governments and used the U.S. banking system, among others, to launder the funds.

Windows 10 – Key improvements from Windows 8

This informative article and slide presentation from Information Week shares key features that will implemented for Windows 10 coming later this year

http://www.informationweek.com/software/operating-systems/windows-10-vs-windows-8-10-differences/d/d-id/1319410

Microsoft has gone back to the old days with the inclusion of the Start menu, which was missing from Windows 8. Another significant boost is that the company plans to include the personal digital assistant Cortana in the desktop version.  The other big news is the inclusion of a new browser, code-named Spartan.  Here are a few new features and improvements over Windows 8 that IT managers, administrators, and even some CIOs may find interesting in Windows 10, especially when compared to the previous version of the OS:

New features in Windows 10:
* Single platform for smartphones, tablets, and PCs
* Return of Start menus
* New browser, code-named Spartan
* Multiple desktops
* Cortana personal assistant for desktops

Improvements:
* Improved Command Prompt
* Unified app store
* Advanced menu for settings
* More options for Task View
* Revised File Explorer and icons

IRS Fraudulent scams – Warnings for 2015 tax returns

Kim Komando features some protective advice in this security alert.  Users should also not respond to any unexpected calls from IRS, as this US Mail still remains the primary means of communication (and they do not contain by email or phone initially)

http://www.komando.com/tips/300138/protect-your-tax-return-from-crooks-and-hackers

In its most basic form, a crook uses your Social Security number to file a bogus tax return in your name, claiming some huge refund. According to the plan, the IRS sends out the refund to the fraudster who gets away scot-free. Or at least that’s the plan. Last summer, a Florida man was sentenced to 10 years in prison for stealing identities and then filing false returns claiming over $13 million in false refunds.

Unfortunately, convictions like this are the exception rather than the rule. Last year, the IRS actually paid out $5.8 billion in refunds that it later realized were actually fraudulent. But those were only the ones it caught. The IRS may never know just how many dollars in fraudulent refunds it has paid and gone undetected. You and other taxpayer victims may not know you’ve been hit until your legitimate return is rejected by the IRS because a crook has already filed using your information.

That’s why I’ve recommended the first step to protecting your tax return is to file as soon as possible. This reduces the window of time a thief has to file on your account. But I understand that’s not always practical for everyone. Perhaps you have a complex tax situation or you are still waiting on paperwork from others. Some people delay filing because they actually owe the government additional tax payments, and they want wait until the last minute to pay up. However, it is perfectly fine to file your return early and still hold off making your payment until the April 15 deadline.

Privacy – RadioShack Bankruptcy and possible sale of Customer Data

While technically bankruptcy courts may see customer data as an asset for sale, this action could be potentially blocked due to privacy concerns.

http://www.bloomberg.com/news/articles/2015-03-24/radioshack-s-bankruptcy-could-give-your-customer-data-to-the-highest-bidder

The phone numbers, e-mail addresses, and shopping habits of more than 100 million customers are part of RadioShack’s bankruptcy auction.  RadioShack’s customers—even those whose most recent purchase came years ago—could also find themselves sold off in the deal. The company included personal data in its bankruptcy auction as its own asset class. A website maintained by Hilco Streambank, which is serving as an intermediary for RadioShack, says that more than 13 million e-mail addresses and 65 million customer names and physical address files are for sale. Hilco Streambank is careful to note that the bankruptcy court might not approve the deals, and there have already been two legal filings in attempts to block the sale of customer data.

The broader challenge, filed last week by Texas Attorney General Ken Paxton, argues that RadioShack made an explicit promise to its customers not to sell their personal data. Paxton claims that 117 million people are included in RadioShack’s customer data sale, which he says offers some details about shopping habits. The filing cites text from a sign displayed in RadioShack stores reading: “We pride ourselves on not selling our private mailing list.” State law in Texas prohibits companies from selling personally identifiable information in a way that violates their own privacy policies. On Monday, Tennessee’s attorney general joined Texas’s objection.

Firefox – Latest Version fixes Pwn2Own and other security issues

The latest Firefox updates fix Pwn2Own and other recently discovered security issues

https://www.mozilla.org/en-US/firefox/36.0.4/releasenotes/

* 36.0.4: Security fixes for issues disclosed at HP Zero Day Initiative’s Pwn2Own contest
* No longer accept insecure RC4 ciphers whenever possible
* Phasing out Certificates with 1024-bit RSA Keys
* 36.0.3: Security fixes for issues disclosed at HP Zero Day Initiative’s Pwn2Own contest

EMAIL SPAM – Added text used to bypass spam filtering

The Internet Storm Center shares interesting and humorous design found in recent mass mailing to bypass SPAM filters where a salad recipe was also present within the spammed email message itself.

https://isc.sans.edu/forums/diary/Interesting+Home+Depot+Spam/19499/

At first glance it looks like yet another run of Home Depot Spam. It isn’t very sophisticated and isn’t likely to fool many.  The usual spelling mistakes and broken English. They didn’t even bother to link in Home Depot’s logo. By the time I received it both of the URLs in the message were dead, so I wasn’t able to measure what its intent was.  What makes it interesting then? If you look very carefully in the orange bar there is text.  That text and the contents of the message contain what seems to be a rather good recipe for lettuce salad:

***********************************
* 1 tablespoons olive oil
* 1 12 tablespoons fresh lemon juice
* 1 tablespoon red wine vinegar
* 2 garlic cloves, minced
* 1 teaspoon dried oregano (Mediterranean is best)

Security Testing – 2015 Pwn2Own Hacking Competition

All browsers were compromised by expert security testers as documented below and users should be lookout for updates in coming weeks as vendors patch these vulnerablities

http://thehackernews.com/2015/03/browser-hacked-pwn2own.html

The Annual Pwn2Own Hacking Competition 2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash. The star of the show was South Korean security researcher Jung Hoon Lee, nicknamed “lokihardt,” who worked alone and nabbed the single highest payout of the competition in the Pwn2Own history, an amazing bounty of $110,000 in just two minutes.

During the second and final day of this year’s hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers.  Sponsored by HP’s Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive:

* 5 bugs in the Windows operating system
* 4 bugs in Internet Explorer 11
* 3 bugs in Mozilla Firefox
* 3 bugs in Adobe Reader
* 3 bugs in Adobe Flash
* 2 bugs in Apple Safari
* 1 bug in Google Chrome
* $557,500 USD bounty paid out to researchers

POS Malware – PoSeidon exports credit card data externally to attackers

This new malware attack is starting to circulate.  It features a new capability to export data externally, so that attackers no longer need to log in locally to retrieve compromised credit card details

http://blogs.cisco.com/security/talos/POSeidon

http://www.computerworld.com/article/2900310/new-malware-program-poseidon-targets-pointofsale-systems.html

Retailers beware: A new Trojan program targets point-of-sale (PoS) terminals, stealing payment card data that can then be abused by cybercriminals.  The new malware program has been dubbed PoSeidon by researchers from Cisco’s Security Solutions (CSS) team and, like most point-of-sale Trojans, it scans the RAM of infected terminals for unencrypted strings that match credit card information — a technique known as memory scraping.

This sensitive information is available in plain text in the memory of a PoS system while it’s being processed by the specialized merchant software running on the terminal. Security experts have long called for the use of end-to-end encryption technology to protect payment card data from the card reader all the way to the payment service provider, but the number of systems with this capability remains low.

Unlike other PoS memory scrapers that store captured payment card data locally until attackers log in to download it, PoSeidon communicates directly with external servers and can update itself automatically. It also has defenses against reverse engineering. “PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” the CSS researchers said. “As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families.”

Smart Device Security – March 2015 Symantec research study

In an evaluation of 50 smart home based devices, this Symantec research report reveals a number of gaps in security that must be improved upon in future.

http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/insecurity-in-the-internet-of-things.pdf

The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance available. However, despite its increasing acceptance by consumers, recent studies of IoT devices seem to agree that “security” is not a word that gets associated with this category of devices, leaving consumers potentially exposed.

To find out for ourselves how IoT devices fare when it comes to security, we analyzed 50 smart home devices that are available today. We found that none of the devices enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Almost two out of ten of the mobile apps used to control the tested IoT devices did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities.

All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices. IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyberattacks.

 

HIGH-LEVEL SUMMARY OF KEY FINDINGS

1. Weak authentication –  None of the devices used mutual authentication or enforced strong passwords

2. Web vulnerabilities – We found and reported ten vulnerabilities related to path traversal, unrestricted file uploading (remote code execution), remote file inclusion (RFI), and SQL injection.

3. Local attack vulnerabilities – Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices.

4. Potential for future attacks — Currently, most proposed IoT attacks are proof-of-concepts and have yet to generate any profit for attackers. This doesn’t mean that attackers won’t target IoT devices in the future when the technology becomes more mainstream.

Windows XP – Migration Considerations for Windows 7 or 8

Both Windows 7 and 8 provide advantages in terms of support, reliability, performance and improved security as noted below:

http://images.globalknowledge.com/wwwimages/whitepaperpdf/WP_MS_WhichWindows.pdf

This “Crossroads for Windows XP Users: Windows 7 or Windows 8?” white paper is sponsored by Global Knowledge.  It explores the pros and cons of each option – including your options for staying with XP.  The choices are basically to gut it out with XP for some period of time; transition to Windows 7 with the plan of skipping Windows 8; or transition to Windows 8 and wait and see what Windows 10 brings