Security Protection – Harry Waldron MVP Rotating Header Image

Uncategorized

January 2015 – TechNet Security newsletter

An excellent article on how to protect passwords and other credentials is highlighted in the January 2015 TechNet Security newsletter

January 2015 – TechNet Security newsletter
https://technet.microsoft.com/en-us/security/cc307424.aspx 

Credential Theft and How to Secure Credentials
https://technet.microsoft.com/en-us/security/dn920237

 

And above all, start  treating your credentials like you do your underwear. Change  them frequently. Never share them. Never leave them lying  around. And they should be sexy. Oh   wait… you are in IT, so maybe not. Let’s go for they should be mysterious and hard to figure out. And the longer the better. Especially on those cold nights when you are called in to deal with unauthorized access because someone else didn’t follow this advice.

Windows 10 Technical Preview – Four key new features

This article highlights four major new features for this new version for Windows currently in development 

http://searchenterprisedesktop.techtarget.com/tip/Comparing-Windows-10-features-with-those-in-earlier-OSes

QUOTE: The Windows 10 Technical Preview has now been out for a few months, and we can soon expect an updated build of Microsoft’s flagship operating system. What can longtime Windows users expect? Let’s look at some of the most interesting desktop- and enterprise-oriented Windows 10 features that users coming from Windows 7 and Windows 8.1 will immediately notice and enjoy.

1. New Spartan web browser - This may complement or even replace Internet Explorer in the future, with voice activation commands & embedded sub-browser modes

2. Cortana Voice activation system – Microsoft’s version of Siri is expected to make it into Windows 10, giving users the ability to control their computer, ask questions, conduct Web searches, set appointments and other reminders, and more by simply talking in a natural voice to their machine.

3. Classic Start menu returns – to provide a logical, non-full-screen place to launch applications and execute searches. Perhaps most importantly, users will go to the Start menu to log off and turn off their PCs

4. Continuum Device Unification – shifts the user interface based on what type of device the user is currently running.  When Keyboard is enabled, windows desktop mode is invoked, but when disconnected the device switches to Modern tile interface mode

CryptoWall 3.0 – New Variant emerges

Two months after the shutdown for version 2.0, a newly designed variant of the CryptoWall Trojan Horse has recently surfaced.  Users should avoid clicking suspicious email or website links and ensure they are fully patched and updated on AV protection.  Backups of data are always important and infected users should seek methods of decrypting files without paying the ransom fee which is approximately $500 

http://www.pcworld.com/article/2868972/cryptowall-ransomware-is-back-with-new-version-after-two-months-of-silence.html

QUOTE: Like its predecessors, the new version is being distributed through drive-by download attacks that exploit vulnerabilities in outdated browser plug-ins or through other malware already installed on computers, researchers from Microsoft said Tuesday in a blog post.

ADDITIONAL LINKS BELOW:

http://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx

https://isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/

http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html

http://www.bleepingcomputer.com/forums/t/563169/after-a-brief-hiatus-malware-developers-release-cryptowall-3/

https://forums.malwarebytes.org/index.php?/topic/163485-cryptowall-30/

Data Breach – Morgan Stanley reports 350,000 accounts compromised

While no initial impacts have been noted, this information could be potentially misused for identity theft

http://www.wsj.com/articles/morgan-stanley-terminates-employee-for-stealing-client-data-1420474557

Morgan Stanley fired one of its financial advisers after it accused him of stealing account data on about 350,000 clients and posting some of that information for sale online, in potentially the largest data theft at a wealth-management firm.  Morgan Stanley said its employee downloaded information on about 10% of its wealth-management clients, totaling about 350,000. The bank said that on Dec. 27 it discovered data related to about 900 of its client accounts during a routine review of public websites known to traffic in such information. The data, which included account names and numbers, states of residence and asset values, appeared on the Internet “briefly,” the firm said Monday in a statement.

Leadership – Giving is the Most Effective Daily Habit to Develop in 2015

Another excellent leadership topic from John Maxwell’s blog

http://www.johnmaxwell.com/blog/what-is-the-most-effective-daily-habit-to-develop-in-2015

QUOTE:  This is the time of year when we all seem to be examining our habits. What habits do we want to eliminate for the new year? And what habits would we like to establish?   How do we want our days to look in 2015?

Now is the perfect time to make some important decisions. Then we can manage those decisions in the new year.  I believe that there is one big decision that everyone needs to make and manage, especially if you’re a leader. This one habit can radically change your life and leadership, if you can practice it daily:

(1) The habit of giving more than you receive
(2) Giving Acknowledges That Others Have Helped Us
(3) Giving Requires Us to Get Beyond Ourselves
(4) Giving Is by Nature Intentional
(5) Giving Changes the World—One Person at a Time

PHPBB Security — Massive SPAMbot attack starts in 2015

Some vulnerable phpbb based forums have experienced a massive ongoing “SPAM bot” invasion as documented in the following thread.  User registration and even guest accounts must be setup with the best practices to defeat these highly automated attacks:

https://www.phpbb.com/community/viewtopic.php?f=46&t=2283526

How can I deal with up to 450 “guests” on my forum doing or trying to do things a guest can not do?  They soak up so much server recources it is almost a denial of service type of attack.  All seem to be using the TOR proxy network. Not many or any have successfully registered an account but they come and go in waves and make the forum throw MySQL errors until they leave.  I was thinking it might be an idea to write a front end that would test for a human (with captcha or the like) before allowing any guest to browse the forum.

Cyberattacks – Locking down UDP service to prevent DDoS attacks

SANS and ISC have excellent advice to help reduce potential severity of DDoS attacks as noted below:

ISC – LINK will 2015 be year DDoS attacks stopped

QUOTE: Among the events of the past few days during the holidays was a DDoS attack on Sony’s Playstation network and on Xbox Live’s network.  The attack was reportedly carried out by a group called Lizard Squad and by all measures is not precisely the profile of a highly sophisticated attack.  Such attacks have increased in both intensity and frequency in the past year but, to an extent, are not terribly new. Many of these attacks rely on spoofing source IPs to an open UDP service (i.e. NTP, DNS, etc) that respond with traffic much larger to the spoofed target.  Since some protocols can respond with hundreds of times larger of a response than the request, it makes it easy for someone with a gigabit connection to the internet to direct large DDoS’s at a victim assume they know enough open services. The first step to deal with this problem is for organizations to stop running open UDP services without a really really good reason (which you don’t have).  Usually, this involves very minor configuration changes.  If you do need to run open services to the internet (you don’t) than to use rate-limiting to prevent the service from being abused. Does your network run any open UDP services?  There are 4 websites that will help you find such services on your network.  These are the four biggest offenders in reflective DDoS attacks and eliminating them would go a long way to taking a bite out of the DDoS threat. openresolverproject.org openntpproject.org openssdpproject.org opensnmpproject.org

Security 2014 in review – eWeek documents top 10 incidents

This informative slide show highlights 10 significant security incidents during 2014, as shared by eWeek magazine

http://www.eweek.com/security/slideshows/top-10-security-incidents-and-vulnerabilities-of-2014.html

 

This past year has been one of the busiest ones on record for IT security professionals, with a seemingly endless stream of high-profile exploits and software vulnerabilities. At the end of 2013, Target revealed what turned out to be the first of many retail breaches over the next 12 months. Retailers large and small were in the news over the course of 2014, with breaches at Home Depot, Staples, Dairy Queen and even the nonprofit Goodwill Industries. Retailers weren’t the only ones under attack in 2014, however; the open-source software development movement was under scrutiny due to several high-profile security incidents. The OpenSSL Heartbleed vulnerability that was first disclosed in April had a wide-reaching impact and consequences that took months to unravel. Heartbleed also ushered in a new era of naming and branding vulnerabilities that extended throughout 2014. The Shellshock bug in the open-source BASH shell was another high-impact vulnerability disclosed in 2014 that left IT professionals scrambling.

Data Breach – JP Morgan intrusion details emerging

More details emerge on JP Morgan banking breach earlier this year:

http://bits.blogs.nytimes.com/2014/12/23/daily-report-simple-flaw-allowed-jp-morgan-computer-breach/

 

The computer breach at JPMorgan Chase this summer — the largest intrusion of an American bank to date — might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network, said people who have been briefed on internal and outside investigations into the attack. Big corporations like JPMorgan spend millions — $250 million in the bank’s case — on computer security every year to guard against increasingly sophisticated attacks like the one on Sony Pictures. But the weak spot at JPMorgan appears to have been a basic one, the people said.   The attack against the bank began last spring, after hackers stole the login credentials for a JPMorgan employee, these people said. Still, the attack could have been stopped there.   Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion.

Ransomware – NEW OphionLocker family emerges

The new OphionLocker ransomware malware agent is described in following links:

http://trojan7malware.blogspot.co.uk/2014/12/ophionlocker-new-ransomware-on-scene.html

https://www.f-secure.com/weblog/archives/00002777.html

 

Last August, we wrote about a series of ransomware that included  SynoLocker and CryptoWall. In our Cryptowall post, we briefly mentioned the more advanced family of ransomware, CTB-Locker, which uses elliptic curve cryptography for file encryption and Tor for communication with the command & control server.

This week, another ransomware emerged using the same cryptography for encryption. It was first spotted by Trojan7Malware from a malvertising campaign that used RIG exploit kit. They dubbed the malware as OphionLocker.

Upon infection, this malware uses a Tor2web URL for giving instructions on how to send the payment and obtain the decrpytor tool.  Here is the message that will be shown to the user after encryption:  Entering the HWID will display the ransom message that asks for 1 BTC (Bitcoin)