Security Protection – Harry Waldron MVP Rotating Header Image

Facebook – New Privacy Checkup Tool

An animated blue cartoon dinosaur helps guide users in improving their basic settings for Privacy

http://securitywatch.pcmag.com/privacy/327117-facebook-privacy-checkup-helps-users-tweak-sharing-options

QUOTE:  Facebook is rolling out Privacy Checkup, a new tool to help users review and adjust their privacy settings. A dialog box will appear on the site and ask to “to quickly review a few of your privacy settings to make sure they’re set up the way you want,” Paddy Underwood, Facebook’s product manager, wrote in a Newsroom post on Thursday. The box displays a smiling blue cartoon dinosaur. Privacy Checkup is being rolled out gradually and will appear on the site “in the coming days,” Underwood said.

Privacy Checkup is “no substitute” for a thorough check of the existing privacy settings, but it’s a good start for many users who still have not adjusted their security settings on Facebook, Cluley said. And for users who have already gone through and adjusted their privacy settings, it’s a good idea to routinely review all of them to make sure nothing has changed or new settings haven’t been introduced. Go on and take a look and make sure you aren’t sharing with more people than you planned to.

Server Hardware – New Intel Xeon E5-2600 CPU

Interesting advancements in corporate hardware technologies are noted in link below

http://www.networkworld.com/article/2604202/beefier-servers-pack-more-storage-ddr4-memory.html

QUOTE: Servers with Intel’s new Xeon E5-2600 v3 server chips, code-named Grantley, were announced by Hewlett-Packard, Dell, Lenovo and IBM Monday. The servers were announced on the same day Intel debuted the chips, which are based on the Haswell microarchitecture.

Intel has cranked up the core count to 18 on the new server chips, an improvement from 12 cores in predecessors. IBM said the new 18-core chip helps deliver 59 percent better database performance and 61 percent better virtualization performance than its predecessor, the E5-2600 v2 chip, which shipped last year. To help boost speed, server makers have beefed up the CPU core count to 36 cores in the new two-socket systems, and have packed in more storage and memory.

The servers are the first with DDR4 memory, which delivers a 40 percent to 50 percent increase in bandwidth and 35 percent reduction in power consumption compared to DDR3 memory, currently in servers. Internal data transfers will be faster with DDR4, and in-memory applications like databases—where a lot of processing takes place in DRAM—are expected to benefit as a result.

Leadership – The most important person to ask questions

John Maxwell’s blog on Leadership is a favorite resource:

http://www.johnmaxwell.com/blog/the-most-important-person-to-ask-questions

QUOTE: Socrates is quoted as saying, “The unexamined life is not worth leading.” I would add that the unexamined leader is not worth following. Leaders who never take time to ask what they are doing and why they doing it are unlikely to stay on track, lead at their best, and reach their potential. That is why we need to keep asking ourselves tough questions.

As a leader, I can allow others to ask me hard and important questions, and that’s wonderful. But even better, I can take responsibility, be proactive, and ask those questions of myself.  I have come to the realization that by asking myself tough questions, I can maintain my integrity, increase my energy, and improve my leadership capacity. That’s why I ask myself questions every day.

1. Your Self-Image: How You See Yourself
2. Your Dream: How You See Your Future
3. Your Friends: How Others See You

IRS Telephone Scam – Largest phone fraud in US History

Currently a major scam is circulating where technicians allegedly from Microsoft or Dell call and attempt to compromise a user’s PC or obtain highly sensitive information.  Likewise, a major scam is circulating where scammers pretend to be from IRS and attempt to steal money from frightened individuals.

As these social engineering schemes continue to circulate, users should resist giving up personal information by phone or email. Rather, they should use official channels of communication (e.g., calling them directly through officially published telephone numbers, US postal mail, etc.)

http://www.cnet.com/news/scam-draft-internal-revenue-service-irs-phishing/

QUOTE:  Starting last fall, scammers began passing themselves off as investigators for the Internal Revenue Service. Using the Internet, it was easy to find names, addresses and phone numbers of would-be victims who they are calling to threaten with arrest for failing to pay their taxes. They’re also sending out phony IRS emails to back up their phone calls. Presto! You’re a victim of social engineering. Who said cybercrime has to mean mucking about in software code?

The choice of the IRS was a stroke of genius. Even if someone fully pays Uncle Sam, there’s always going to be doubt left in their minds. We’ve all been there: Did I cut one too many corners claiming deductions? Did my accountant get a bit too creative? Did I flub basic math and add wrong? Any and all of the above?

The IRS says the ruse has so far taken in about 1,100 victims who have lost an estimated $5 million, according to the Treasury Department, making it the largest ever phone fraud in the US.  The target profile is usually someone 55 or older — particularly people older than 70 who are less savvy to these scams and more trusting than someone who grew up with the Internet.

And the bad guys are still working it. The US Treasury Department’s Inspector General J. Russell George has described it as “the biggest scam that we’ve seen this year.” As of mid-August, some 90,000 people had called a government hotline to notify authorities. Truth be told, the phony IRS agents do make a convincing sales pitch.

The IRS has published pointers on its website to help identify the scams:

* Your first contact with the IRS will not be a call from out of the blue.

* If the person on the phone starts getting angry or threatening, hang up.

* The IRS is not going to call and demand credit or debit card payment over the telephone.

* By the same token, the agency won’t insist on specific ways to pay your tax bill.

Data Breach – Home Depot credit card impacts reported by banks

New possible point-of-sales attacks or a data breach may have occurred during MAY/APR 2014 … Banks are seeing this more directly as investigations have started

http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/

 
Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.

Microsoft Security Update MS14-045 reissued on AUG 27th

http://support.microsoft.com/kb/2993651


http://blogs.technet.com/b/msrc/archive/2014/08/27/security-bulletin-ms14-045-rereleased.aspx

http://www.zdnet.com/microsoft-reissues-flawed-windows-security-update-7000033049/

 
A new version of MS14-045 has been pushed to Windows Update and the Download Center. Microsoft strongly recommends that users uninstall the old version first. Microsoft today re-released the updates for security bulletin MS14-045. This update had been released on the August Patch Tuesday, August 12, but withdrawn later in the week after user reports of blue screen crashes and disabled systems.

At the same time Microsoft withdrew MS14-045, it withdrew three non-security updates, KB2970228, KB2975719 and KB2975331. None of those have been reissued and we have no further information on them.  A blog entry from Tracey Pretorius, Director of Microsoft Trustworthy Computing, implies that the problem was released to a change in the release schedules for non-security updates.


Hewlett-Packard – 6 million AC power cords recalled

DETAILS from HP site below on free trade in

http://h30652.www3.hp.com/

http://money.msn.com/business-news/article.aspx?feed=AP&date=20140826&id=17884547

 
HP is recalling about 5.6 million notebook computer AC power cords in this country and another 446,700 in Canada because of possible overheating, which can pose a fire and burn hazard. Consumers are advised to immediately stop using and unplug the recalled power cords and contact Hewlett-Packard to order a free replacement. Consumers can continue using the computer on battery power. Hewlett-Packard can be reached at 877-219-6676 from 10 a.m. to 7 p.m. ET Monday through Friday or online at www.hp.com and click “Recalls” at the bottom of the page for more information.

Leadership – Probing Questions to gather details

The John Maxwell Leadership blog shares ideas related to preperation of questions when interviewing business professionals

http://www.johnmaxwell.com/blog/questions-to-ask-during-a-learning-session

QUOTE: Larry King, who has made his living speaking to people as a television talk show host, believes that asking questions is the secret of good conversation. He says, I’m curious about everything, and if I’m at a cocktail party, I often ask my favorite question: “Why?” If a man tells me he and his family are moving to another city: “Why?A woman is changing jobs: “Why?” Someone roots for the Mets: “Why?”

The meetings I look forward to most are the learning lunches I schedule every month with people who can teach me. When we meet, I come armed with questions. Many are specific to the individuals I’m meeting with. But there are some questions I try to ask everyone. You may want to use them too:

1. What is the greatest lesson you have learned? By asking this question I seek their wisdom.
2. What are you learning now? This question allows me to benefit from their passion.
3. How has failure shaped your life? This question gives insight into their attitude.
4. Who do you know whom I should know? This allows me to engage with their network.
5. What have you read that I should read? This question directs my personal growth.
6. What have you done that I should do? This helps me seek new experiences.
7. How can I add value to you? This shows my gratitude and desire to add value to them.

Data Breach – UPS impacted by malware in 24 states

UPS and authorities continue to investigate a data breach from a major malware infection removed on August 11, 2014

http://www.theupsstore.com/security/Pages/default.aspx

 
An assessment by The UPS Store and the IT security firm revealed the presence of this malware on computer systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States. Based on the current assessment, the earliest evidence of the presence of this malware at any location is January 20, 2014. For most The UPS Store locations, based on our current assessment, the period of exposure to this malware began after March 26, 2014. This malware was eliminated as of August 11, 2014 and customers can shop securely at The UPS Store.

Word Press Security – New XMLRPC Brute force password attacks

Strong password controls are recommended at Word Press sites to ensure safety as major brute force attacks are more actively circulating 

http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html

QUOTE: Brute force attacks against WordPress have always been very common. In fact, Brute Force attacks against any CMS these days is a common occurrence, what is always interesting however are the tools employed to make it happen. You create a website, because it’s super easy these days, publish the content and within a few weeks people try to repeatedly log in. These login attempts come from botnets, they are automated and their goal is simple “break into as many websites as they can by guessing their passwords.” Once they find one that matches, they take over of the site and use it to distribute malware, spam and similar activities.

Here is a small example, from our own honeypots, where we see hundreds of login attempts per day, trying various combinations. The passwords may seem silly, but after going through the most common 200/300 dictionary passwords, they can get into many web sites.

user: admin, pass: admin
user: admin, pass: 123456
user: admin, pass: 123123
user: admin, pass 112233
user: admin, pass: pass123

Originally, these brute force attacks always happened via /wp-login.php attempts, lately however they are evolving and now leveraging the XMLRPC wp.getUsersBlogs method to guess as many passwords as they can. Using XMLRPC is faster and harder to be detected, explaining this change in tactics. This is not to be confused with our post back in March where we reported XMLRPC being used to DDOS websites, oh no, in this instance they are leveraging it to break into websites.