Security Protection – Harry Waldron MVP Rotating Header Image

Malware – Ransomware new Cerber and Locky variants NOVEMBER 2016

Ransomware variants continue to emerge as security vendors attempt to keep pace of developments.

http://blog.checkpoint.com/2016/11/24/14959/

During Thanksgiving holidays, Cerber and Locky, the two most popular ransomwares out there, have launched new variants to the wild simultaneously. The new ransomware versions released perform slender, yet very interesting, changes that may affect the way they are being detected.

CERBER 5.0 Uses New IP Ranges — The actors behind Cerber, like other actors in the ransomware industry, innovate on a daily basis. Only yesterday (November 23rd, 2016) a new version of Cerber was released (4.1.6); however no prominent changes were noticeable in it. Less than 24 hours later, Cerber released the new version, 5.0, which is described in this article.

LOCKY — The ever changing Locky ransomware has just released a new variant which implements new evasion techniques and adjusted ransom tariff. Locky is known for being downloaded as a dll file using JavaScript based downloader. Although the new variant acts just the same, the JavaScript downloader pulls disguised .TDB file which turns to be a PE file. Locky’s threat actor probably wishes to evade security products that sign the already known infection chain

Apple – iOS 10 slideshow of 30 user tips for new version

PC Magazine has created a slideshow of 30 user tips for new Apple iOS 10 version

http://www.pcmag.com/slideshow/story/347908/30-hidden-tips-for-mastering-ios-10

Apple’s iOS 10 didn’t have the smoothest of rollouts; there were some unique quirks.  In PC Labs, our analysts updated five iPhones to iOS 10 and it worked great—on four of them. At this point, you’re probably in the clear, though, and iPhone power-users will want to know exactly what’s in store. These tips cover the best new features that aren’t always obvious when first using Apple’s newest mobile OS.

PCI DSS – Four tiered levels of corporate certification

The following shares details for the tiered levels and audit compliance criteria for Pay Card Industry Data Security standard (PCI/DSS v3.2)

http://scanforsecurity.com/pci-dss-why-do-you-need-it-and-how-does-it-works/

PCI DSS (Pay Card Industry Data Security standard) is a security standard for the payment card industries. The standard has been developed by the international payment systems of Visa and MasterCard. Any organization that plans to accept and process the bank card data on its site must comply with PCI DSS requirements. There are four levels of PCI DSS certificates that are primarily different from the maximum number of transactions processed:

* Level 4 — up to 20 thousand transactions per year.
* Level 3 — 20 thousand to 1 million transactions per year.
* Level 2 — from 1 million up to 6 million transactions per year.
* Level 1 — only conducted with an independent auditor (QSA) and allows more than 6 million transactions per year to be processed.

PCI DSS certification allows you to work with banks directly through the bank’s payment interfaces and the internet enterprise itself. This eliminates the customer’s transition to a third-party site. In addition, building your own payment system allows you to work directly with multiple banks, “balancing” between them, and build a “cascade” system of payments. With a “cascade” payment, its authorization is performed sequentially in several banks and processing centers, which can significantly reduce the percentage of transactions that have been rejected.

Open Source software – Checklist to evaluate security and support

SANS has published an excellent guide for evaluating open source products and applications.  A partial list of several insightful questions are shared below:

https://isc.sans.edu/forums/diary/Free+Software+Quick+Security+Checklist/21751/

Free software (open source or not) is interesting for many reasons. It can be adapted to your own needs, it can be easily integrated within complex architectures but the most important remains, of course, the price. Even if they are many hidden costs related to “free” software. In case of issues, a lot of time may be spent in searching for a solution or diving into the source code

Today, more organisations are not afraid anymore to deploy free software in their infrastructure but are those solutions really secure? A customer came to me with an interesting question about performing a security audit of free software. The idea is to validate the software before deploying it in infrastructure.

The idea is not to perform a deep source code review or to pentest the tool but more to establish a checklist of key points. I already compiled a rough list of questions that I’d like to share with you:

* What is the programming language used?  
* Architecture and security framework?
* Regular updates?
* Roadmap for the coming months?
* How big is the community around the project?
* How big is the current users base?
* The documentation and quality of documentation within the code? 
* Are external pieces of code (like libraries) used?

Facebook – Messenger service adds Instant Games facility

Facebook is adding a few classic games to it’s Messenger mobile service called “Instant Games”. Users should always be on alert for possible future spoofing of this new capability by malware writers.

https://techcrunch.com/2016/11/29/messenger-instant-games/

Bored while you wait for friends to text back? Now you can challenge friends for high scores on Facebook Messenger’s new Instant Games, like Pac-Man, Space Invaders, and Words With Friends Frenzy. Available right from your message threads, they load in seconds since they’re built on the HTML5 mobile web standard, rather than having to be downloaded like clunky native apps.

Facebook hope some friendly competition will get you to spend even more time in Messenger. You compete asynchronously via high scores instead of directly at the same time, so its convenient to try you luck any time. And eventually, Instant Games could earn Facebook ad dollars from developers promoting their games, or a cut of payments, though there are no in-game purchases allowed yet.

Instant Games launches today in 30 countries including the US, with 17 games from classic developers like Bandai Namco, Konami, and Taito as well as newer studios like Zynga and King. They’re available on newer iOS and Android devices, and can be found by hitting the game controller icon in your Facebook Messenger threads next to the photos and stickers buttons. You can also play across platforms from Facebook on desktop thanks to a little overlaid phone screen.

Browsers – New Colibri browser will eliminate tabs

This new browser is available only for the Apple Mac OS as a beta version.  Both Windows and Android versions are in development.  This new facility is designed to be as simple as possible with the elimination of tabs

http://thenextweb.com/apps/2016/11/24/tabless-browser/

The last time I used a web browser without tabs was well over ten years ago. It was Internet Explorer 6. Things, thankfully, have moved on since then. But it seems that nobody has told Colibri – a new browser that aims to differentiate itself from the pack by excising tabs entirely.

This is a browser for people who like to do one thing a time. It’s currently available as a free beta for MacOS users. According to the developers, Windows, Android, and iOS versions are also in the pipeline, although it doesn’t say when these are expected to land.

It’s hard to get excited about what amounts to Chrome, sans the tab bar. But Colibri has a few tricks up its sleeve. First, it comes with something calledLinks”, which it says are designed to replace tabs. When you know that you’re going to re-visit a webpage, you can save it to be revisited later.

For the sake of fairness, it’s worth noting that Colibri will let you open an additional window if you absolutely must have multiple webpages open simultaneously. But this just feels incredibly inelegant, and kinda undermines its purpose.

COLIBRI — HOME PAGE (available only for Apple currently with Windows & Android versions in development)

https://colibri.opqr.co/

IoT Security – Vendors call for improved security in 2017

The security for the new “Internet of Things (IoT)” devices must be further improved in the future so that they cannot manipulated by unauthorized users.

http://www.pcmag.com/news/349860/tech-giants-iot-security-is-terrible-heres-how-to-fix-it

Google, T-Mobile, Cisco and several other companies offered a plan this week to help boost the security of baby monitors, Wi-Fi routers, traffic lights, and the millions of other devices that make up Internet of Things (IoT).  The plan, published on Tuesday by the Broadband Internet Technical Advisory Group, argues for a major shift in the way device manufacturers approach security. They should be “restrictive instead of permissive,” meaning instead of automatically allowing Internet traffic, in some cases without a password or firewall, IoT devices of the future should be inaccessible to inbound connections by default.

Only after a user configures the device’s security options would it be able to send and receive Internet traffic. For connected home devices like thermostats and baby monitors, that setup would have the additional benefit of not relying on the protection of a single firewall located in the home’s Wi-Fi router.

Besides arguing for more default security, its report also suggests strong encryption and automated software updates, two measures that security experts have been calling for in the wake of a massive DDoS attack that crippled much of the Internet’s infrastructure last month.

FBI – Cyber Monday 2016 safety warning issued

The FBI warns to be extra careful during the upcoming holiday season.  If an online offer seems too good to be true, it is usually a fraudulent scam designed to get credit card information and other sensitive data 

http://www.foxnews.com/us/2016/11/28/cyber-monday-scams-targeting-shoppers-fbi-warns.html

Crooks are out to ensure a blue Christmas for cyber shoppers, using an array of online treachery and phony deals that will net an estimated $1 billion this year, according to the FBI.  In a report titled “Tis the Season for Holiday Scams,” the FBI urged shoppers to be aware of increasingly aggressive and creative scams designed by criminals to steal money and personal information. Fake deals, bogus surveys and malware hidden in phony come-ons are all at a fever pitch today, as customers take part in Cyber Monday, the online version of Black Friday. “If a deal looks too good to be true, it probably, is,” the FBI said in a statement. “You may end up paying for an item, giving away personal information, and receive nothing in return except for a compromised identity.”

Before shopping online, the FBI recommends securing all bank and credit accounts withstrong and different” passwords. But shoppers aren’t just at risk on retail websites — the FBI is now warning to beware of social media posts and smartphone Apps.  “Beware of posts on social media sites that appear to offer vouchers or gift cards, even if it appears the offer was shared by an online friend,” according to the FBI statement. “Some may pose as holiday promotions or contests that lead to participation in an online survey designed to steal personal information.”

Microsoft Security Updates – NOVEMBER 2016

Below are key resources documenting this recent monthly Microsoft Patch Tuesday release which now works on a CUMMULATIVE basis:

https://technet.microsoft.com/en-us/library/security/ms16-nov.aspx

https://isc.sans.edu/mspatchdays.html

http://blog.talosintel.com/2016/11/MST11-2016.html

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. For a detailed explanaiton of each of the categories listed below, please go to https://technet.microsoft.com/en-us/security/gg309177.aspx

This month’s release is packed full of goodies, but you don’t want to wait to review them over Thanksgiving dinner as there are 14 unique bulletins addressing multiple vulnerabilities. Critical bulletins address vulnerabilities in (alphabetically): Adobe Flash Player, Edge, Graphics Component, Internet Explorer, Video Control, Windows kernel

Facebook – Developing new warning system for Fake News

Facebook has affirmed they are working on a new warning system to reduce the spread of false information plus malicious attacks associated with fake news links

http://www.pcmag.com/news/349742/zuckerberg-teases-warning-system-labels-for-fake-news

http://www.pcmag.com/news/349576/google-facebook-go-after-fake-news-with-new-ad-policies

Facebook CEO Mark Zuckerberg on Friday outlined some of the things his team is doing and considering to combat fake news, including a warning system for suspicious content and bringing in third-party fact-checking services to weigh in on popular content across the site. “While the percentage of misinformation is relatively small, we have much more work ahead on our roadmap,” Zuckerberg wrote in a Facebook post.

Some might quibble with his assertion that fake news has not proliferated on the site; earlier this week, for example, BuzzFeed reported that fake stories generated more engagement on Facebook in the last three months of the election than stories from reputable news sources. Even President Obama has criticized its spread. “If we can’t discriminate between serious arguments and propaganda, then we have problems,” he said during a news conference in Berlin this week.