Security Protection – Harry Waldron MVP Rotating Header Image

Uncategorized

BEST PRACTICES FOR INTERNET SAFETY FOR 2014

In November, a presentation is planned for professional organizations in our area.  This represents a planning outline that will be further refined.  

 1. SECURITY = SEC-U-R-IT-Y was once shared by a class leader that “you are it“.  Careful and well planned human behavior is your BEST defense, even over technological safeguards.  Fort Knox has some of the world’s best security, but if the guards open the doors and let unauthorized folks in — what good is all of that fortification?  For the best safety for yourself, family, and corporately, one must “think security” and then integrate those concepts in all actions.

2. THINK DEFENSIVELY –   Avoidance is your #1 risk management tool.  For email or internet actions — safety should always be a primary concern.  It’s good to get secondary verification before acting on items.  When a site is encountered that will not allow you to exit — use CTRL+SHIFT+ESC to bring up task manager to close malicious web pages & exit safely.   Lock down your browser settings with restrictive security settings.  Patch immediately from trusted sources quickly to fortify your system.

3. THINK BEFORE YOU CLICK – Think of every action being potentially dangerous on Internet.  While most actions are safe, there is still the potential of danger.  It is better to pause and double check than to act to emotions or initial responses sometimes.   The good news is that it takes one or more clicks by the user to install most malware.  The bad news is that many folks click anyway, without realizing this gives permission to possibly plant malicious code in a stealth like manner on the system.

4. STAY INFORMED ON DANGEROUS RISKS – When a leading bank with restrictive security has millions of accounts compromised, it is a wake call for security to be a top safety theme in our well connected society.  Security is only as strong as weakest point.  Recently, telephone call scams pretending to be the IRS, Microsoft, and other entities have emerged.  However in most cases, they use postal mail to contact folks on serious matters.  These are scams intended to rob folks ultimately.   There are “no free lunches on the Internet” and the appeal of winning or being chosen, may temp users to click on unsafe items.  Please avoid temptations to click on even false news alerts.  A few years ago a bad European 100 year storm hit and there was a “Storm Worm” virus that impacted many users.   Today, there are false Ebola news alerts circulating and clicking those links may implant a virus.  Sensationalized news alerts can be used to trick user.  Stay informed on security news bulletins & visit beneficial blog sites to stay educated on the dangers.

5. STAY UP-TO-DATE ON SOFTWARE – Update Windows, Anti-Virus and all other products on your system as soon as this is offered. Stay on latest version of browser, flash, and other software. Reboot your PC often to give it a fresh start and ensure latest patched components load for your protection.

6. USE SECURE PASSWORDS – Use strong password techniques and don’t use the same one for each site, but vary them to reduce harm if the bad guys happen to discover one. Consider putting an asterisk (*) or exclamation point (!) at end of password that you like using. Use 2-pass security and other approaches in lieu of passwords when feasible.

7. WIRELESS NETWORK SAFETY – Use or setup these resources with security in mind, as unsecure connections can be easily intercepted. Be especially careful with your mobile smartphone as it can provide a wealth of personal and sensitive information, if lost or stolen.  Please consider wireless as HIGH RISK both at home or away.

8. PHYSICAL SECURITY – Carefully handle laptops or mobile phones while traveling by air or driving or at hotel. Hide, lock, and secure these resources. Encrypting the hard drive is beneficial for frequent travelers and anyone desiring high levels of security.

9. RECOVERY FROM SECURITY EVENT – When personal information has been compromised or malware infections occur, quickly change all passwords, alert banks, change account numbers, and take other actions to minimize damages associated with loss of information.  The key is to quickly change credentials for anything that has been disclosed and ensure your security in future processing is restored under new & improved controls.

10. SECURITY IS A CONTINOUS IMPROVEMENT PROCESS – the bad guys are improving their tactics & defensively we must proactively respond as developments occur. The defense mechanisms of five years ago won’t work for today’s threats. Security requires re-thinking and re-evaluation of safety techniques constantly.

Data Breach – JP Morgan 76 million users impacted

 

I had the same reaction of “The Atlantic” as 90 “BANK” servers were compromised and sensitive personal data was mined.  While no financial account data was extracted, phishing scams and targeted attacks could be easily created knowing email addresses and other personal data.  

http://www.theatlantic.com/business/archive/2014/10/why-the-jp-morgan-data-breach-is-like-no-other/381098/

QUOTE: Banks are supposed to have some of the most advanced security systems in the world.   JP Morgan still got hacked. Another month, another report of a large corporation failing to keep customer information secure. This time, it’s JP Morgan reporting that 76 million households and 8 million small business were exposed in a data breach. At this point, it’s understandable if the news doesn’t cause much alarm.

But hear us out: This JP Morgan Chase breach should freak you out, even if you don’t bank with them. Previous data breaches have largely been confined to retail companies (Target, Home Depot etc.), where brands are required to meet basic security protocols and not much else. “Retailers are known to be cheap,” Paula Rosenblum, managing partner at Retail Systems Research, said. “But it gives me much more pause when it happens to a bank.”

Banks have much more sensitive information about their customers than any retail operation, everything from social security numbers to detailed records of past spending. So far, JP Morgan reports that only limited personal information, such as names, phone numbers, and addresses, were stolen, insisting that social security numbers, banking information, and other data remain safe. “I’m assuming that [information] is encrypted,” said Rosenblum. “If not, then Katy bar the door.”

Then there’s the sheer scale of the breach. Let’s repeat: Seventy-six million households and 8 million small business were exposed. According to The New York Times, JP Morgan believed only one million accounts were affected a few weeks ago. So there’s the possibility that the number may rise even further.

ATM Malware – Tyupkin allows direct theft from infected ATM systems

Kaspersky Security is warning financial institutions regarding highly sophisticated ATM malware where a thief knowing the right input codes can steal money directly from the ATM itself

https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/

QUOTE:  This ATM based malware attack uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night.  It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.  When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.   This is done by infecting ATMs directly or direct APT-style attacks against the bank.  The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure.

General advice for on-premise ATM operators

* Ensure the ATM is in an open, well-lit environment that is monitored by visible security cameras.
* The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals.
* Regularly check the ATM for signs of attached third-party devices (skimmers).
* Be on the lookout for social engineering attacks by criminals who may be masquerading as inspectors or security alarms, security cameras or other devices on premises.
* Treat intruder alarms seriously and act accordingly by notifying law enforcement authorities of any potential breach.
* Consider filling the ATM with just enough cash for a single day of activity.

WINDOWS 10 – First look by Network world

http://www.networkworld.com/article/2689722/windows/microsoft-windows-165000-first-look-windows-10.html

QUOTE:  Although Microsoft is skipping a whole version number for the next Windows version, which will ship some time next year, the early version of Windows 10 it showed off today was mostly composed of commonsense fixes to Windows 8, better integrating its Desktop and Metro halves and being smarter about adapting to keyboard and touch environments.

A big complaint about Windows 8 was the lack of the familiar Start menu that debuted in 1995. Windows 8.1 brought a Start button, but all it did was switch between the Metro and Desktop halves of Windows. Windows 10 brings back the real Start menu, but with the Metro tile look from Windows Phone and Windows 8’s Metro screen.

Windows 10 will let Metro apps run in Desktop windows like any other app, getting rid of the duality of Windows 8. That leaves the question: How’s a Metro app different from a Desktop app beyond the look and feel?

Windows 10 brings Windows 8.1’s snap feature to the Desktop, so you can arrange app windows in a tiled view. Yes, Windows has long supported a tiled view within apps (for their document windows), but now you get the capability among apps themselves.

WINDOWS 10 – Product Announcement link

Below is the public announcement thread, highlighting major features for Windows 10

http://live.theverge.com/microsoft-windows-9-event-live-blog/#

http://www.theverge.com/2014/9/30/6868695/microsoft-windows-10-announced-official

http://www.theverge.com/2014/9/30/6868899/windows-10-availability-technical-preview-tomorrow

 
The next major version of Windows, Windows 10, will be available late next year. The new operating system is being unveiled today at an event in San Francisco, where Microsoft announced its name and began detailing new features, including the return and makeover of the Start Menu, the introduction of multiple desktops, and a new universal search feature. Microsoft isn’t hiding that, for mouse and keyboard users, this is a move back toward what Windows users are used to and away from the contentious changes in Windows 8. “It gives the familiarity of Windows 7 with some of the elements of Windows 8,” Windows chief Terry Myerson says.

LINUX/UNIX Admins – PATCH AGAIN as new BASH Shellshock exploits are emerging

While these brand new vulnerabilities have emerged, they appear to be less “exploitable” from directly tailored environment variables than the original BASH Shellshock exploit.  Still, there is a need for open source administrators to be vigilant and in a “patch now” mode as further developments warrant    

http://www.darkreading.com/vulnerabilities—threats/new-bash-bugs-surface/d/d-id/1316161

QUOTE: If you patched your Linux-based systems before 1:11 a.m. Eastern Daylight Time yesterday for the major Shellshock vulnerability in the Bash function, your work is not done here yet. New bugs have been reported in Bash, so it’s probably time to patch again, security experts warn.

Johannes Ullrich, director of the SANS Internet Storm Center, says the newly discovered Bash vulnerabilities have not been patched, as of this posting: CVE-2014-7186, – 7187, and -6277. The original Bash Shellshock bugs revealed on September 24 — CVE-2014-6271 and CVE-7169 — have been patched and updated in major distributions, according to Ullrich.

The latest bugs in Bash are not one and the same as Shellshock, however. “They are not exploitable via environment variables as far as I know, so the CGI vector that has been a big problem with Shellshock doesn’t seem to apply,” says Ullrich, who is currently performing more testing on the latest findings.

https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725

QUOTE: I just published an updated YouTube presentation (about 15 min in length) with some of the shell shock related news from the last couple days:

YouTube: https://www.youtube.com/watch?v=b2HKgkH4LrQ
​PDF: https://isc.sans.edu/presentations/ShellShockV2.pdf
PPT: https://isc.sans.edu/presentations/ShellShockV2.pptx

Leadership – Inspiring project team with Vision

John Maxwell’s Leadership blog has excellent advice that is applicable for IT projects

http://www.johnmaxwell.com/blog/give-your-dream-a-team

QUOTE: If you’re dreaming big, then the size of your vision will surpass your present abilities. Not only that, but your dream will even dwarf your potential abilities. No matter how much you grow and develop, you won’t ever be able to accomplish the dream alone. One is too small a number to achieve greatness. Every dream needs a team in order to come true. The questions are who to include on the team and how to convince them to join.

Who should I include on my dream team?  Life is especially hard on dreams, and when challenges arise we can be tempted to delay the dream indefinitely or to abandon it altogether. That’s why every dream team has inspirers. These people keep hope alive by providing continual encouragement. They believe in the dream even when you start to doubt it.

There’s a fine line between a dream and a fantasy, and it can be easy to cross. Every dreamer needs honest critics to keep from wandering into make-believe. These constructive critics are not skeptics or cynics; they believe in the dream just as much as you do. However, they’re attuned to reality, and they know that a dreamer who avoids facts and evidence will inevitably lose credibility.

Windows 8.1 Credential Manager – how to access and use

An informative article regarding Windows 8.1 Credential Manager from Tech Republic

http://www.techrepublic.com/article/working-with-windows-8-1s-credential-manager/

 
Whenever you respond to a prompt that essentially asks if you want Windows or Internet Explorer to remember your password, the operating system will then store your user credentials in an encrypted file scheme known as the Windows Vault. Having your credentials stored in this vault allows you to be able to automatically log on to a server/site without first being prompted to provide a username and password. For example, the vault can store credentials and then use them to automatically log you into online services such as Hotmail and OneDrive, Microsoft Office services such as Outlook Web Access for Exchange Server, plus Windows servers and Remote Desktop connections. The GUI front end for this vault is called Credential Manager, and it’s designed to allow you to easily view and manage your network-based logon credentials (i.e., usernames and passwords). In this article, I’ll introduce you to the Windows 8.1’s Credential Manager and explain how it works.

Apple iPhone 6 – over 60 pounds of force to bend

Interesting tests by Consumer Reports that document new iPhone 6 casing holds up with other similar smartphones.

http://www.pcmag.com/article2/0,2817,2469381,00.asp

QUOTE: Apple’s iPhone 6 required less force to ruin than Apple’s iPhone 6 Plus, but more force than what Apple itself has been claiming the iPhones can tolerate. According to those who attended a recent press tour of the company’s “torture lab” for its iPhones, an iPhone 6 can handle at least 25 kilograms of weight—around 55 pounds—in a similar three-point flexural test. Apple maintains the iPhone 6 can actually handle more weight than that, but didn’t specify how much.

According to Consumer Reports’ tests, the iPhone 6 only started to deform, warp, or otherwise look different than it normally does once the test applied 70 pounds of weight to the smartphone. The iPhone 6 Plus held out for slightly longer, deforming at around 90 pounds.

Two days ago, the Internet erupted with photos of bent iPhone 6s, and a very-viral video of a guy creasing an iPhone 6 Plus with his bare hands. It seemed like a serious concern, yet everything about the uproar was highly unscientific. We don’t like unscientific, so we promised then that we would use our lab equipment to find out just how delicate the iPhone 6 and 6 Plus really are.

Hacked Account – Recovery tips for home users SEP2014

Kim Komando shares 5 page guides to recover stolen email or other accounts.  The key links to recovery resources for Facebook and other sites are helpful resources for home users

http://www.komando.com/tips/11269/easily-recover-a-hacked-account

 
Unlike other online accounts, I wouldn’t use online forms to try to get back a hacked bank account. Call the bank or visit your local bank branch immediately. The bank will work with you to change the password and reverse any fraudulent charges. You may have to open up a new account, though. While you’re there, ask about using additional verification features. Most banks have a system that lets you verify any major charge before it’s made. For any online account, a little preparation beforehand makes your account much harder to crack. Check your online account’s security settings often. Make sure you have a rock-solid password and strong security question to keep hackers out.