December, 2011:

http://redmondmag.com/articles/2011/12/07/windows-8-beta-coming-february.aspx

QUOTE: Microsoft will release the beta of Windows 8 in late February, a company official announced yesterday.  The announcement came as part of a talk on Microsoft’s upcoming Windows Store, which will be the online selling presence for Windows 8 “Metro-style” applications, built on HTML 5, JavaScript, XAML and C languages. Antoine Leblond, vice president of Windows Web Services, disclosed the approximate release period for the Windows 8 beta. Prior to his talk, Microsoft officials had not publicly disclosed it.

ESET Security offers an excellent analysis on wireless security setup and WPA2 should be used for the best current levels of protection.

Wireless Security – None v WEP v WPA v WPA2
http://blog.eset.com/2011/12/30/could-hackers-break-into-your-wi-fi-wireless-router

QUOTE: You just got a new wireless router for Christmas, but when you set it up it asks about wireless security. Do you want WEP, WPA, WPA2 or any of the other alphabet soup options they give? While it’s easiest to just pick the default setting, are you setting yourself up for trouble from aspiring hackers? And what about the new WPS hack tool – called Reaver – does that make things worse?

NONE — Many people never set a password to protect their WiFi, after all it’s just one more password to remember, right? And your neighbors aren’t THAT evil (you hope). On the other hand, if the neighbors use your internet, it could make everything slow down, and if they get malware, it can spread to computers in your house and leave some unwanted gifts which can be quite painful.

WEP — Let’s start with WEP (Wired Equivalent Privacy). WEP is a vast improvement over no password. Think of it like a car with at least the doors locked. The door locks might not be the ultimate in security, but lacking even basic door locks leaves you wide open to thieves, so it’s better than nothing. It will deter simplistic thieves as they may look for other easier opportunities. But if they wanted to crack it, WEP won’t give them much of a workout. Using modern tools, WEP can be cracked in a few minutes, and you’d have a mistaken sense of security that your home and network are protected. So let’s move up the security chain to something beefier that’s also an option on most modern routers, WPA.

WPA/WPA2 — WPA is short for Wi-Fi Protected Access, is tougher to crack. WPA2 was later added, making it even more difficult by toughening the encryption used on the traffic from your computer to the router. This makes it much more difficult for bad actors to intercept and trick your internet traffic into going places other than where you intend. If you have the choice, this is definitely an improvement over WEP, so use this at a minimum, preferably WPA2 if you have the option. Some routers also will give an option of TKIP vs. AES, use AES if you have the choice, it’s more secure.

Security – Could Transportation sector be impacted in future?

These articles share some of the needs to strenghten security and privacy controls.  Hopefully, attacks will be prevented

PC Magazine Security – Could Transportation sector be impacted in future?
http://securitywatch.pcmag.com/security/292240-where-will-hackers-strike-next-transportation
http://www.reuters.com/article/2011/12/28/us-trains-security-idUSTRE7BR0C520111228
http://www.mercurynews.com/drive/ci_19633869

QUOTE: Practically every industry these days needs to be prepared for some kind of cyber threat, but the nature of the attacks and how the hackers carry out their assaults is ever-changing. Two news stories that popped onto my radar this week point to the different kinds of potential hacks that might occur, and both have to do with the transportation industry.

http://isc.sans.org/diary/Bye+2011+Hello+2012+what+will+you+have+in+store+for+us+/12301

QUOTE: With the last day of the year well and truly on the way in most parts of the world and almost finished in my part of the world it is probably a nice time to reflect a little bit on the year that was.  On the malware front I predict more of the same.  The basic things are still working, so why change.  Until the basic security controls are in place in most organisations as well as home computers most of the malware will continue to function without too much change in 2012.  We might see more tailored attacks on oranisations and breaking in is as simple as one click in many cases.

Webmasters and administrators should look for any signs of infection from this new SQL injection attack.  In many cases SQL attacks are mitigated through more secure programming conventions. Wild card character processing may allow more openess and convenience in user input, but may also allow SQL injection vulnerabilities).

Lilupophilupop SQL injection attacks infect over one million pages
http://isc.sans.org/diary/Lilupophilupop+tops+1million+infected+pages/12304
http://isc.sans.edu/diary.html?storyid=12127

QUOTE: Earlier in the month we published an article regarding the lilupophilupop SQL injection attack. I though it might be a good time to reflect on this attack and see how it is going.  When I first came upon the attack there were about 80 pages infected according to Google searches.  Today, well as the title suggests we top a million, about 1,070,000 in fact (there will be duplicate URLs that show up in the searches. Still working on a discrete domain list for this).

This article discusses the challenges associated with preventing malware
attacks in the coming year.

PC Magazine – Let’s Terminate Malware in 2012
http://securitywatch.pcmag.com/security/292164-let-s-terminate-malware-in-2012

QUOTE: Antivirus research is a cat and mouse
problem. Each time the virus writers develop a new technique to spread
malware or steal private data, antivirus experts rush to build countermeasures.
To actually defeat the malware coders, we need to get out of strictly reactive
mode. That requires looking at the motivations that drive malware creators, not
just at their actions.

Malware earned about trillion dollars last year, according
Melissa Hathaway, former cyber-security advisor to the president. Trend Micros’s
researchers report that one malefactor spreading the KoobFace worm earned
$19,000 in a single day. A single attack can involve dozens of individuals or
gangs, each taking a cut of the profit. Trend’s experts put
together a report showing the entire complex economy surrounding modern
malware manufacture. Click on the image to see the full
infographic.

Organized computer crime exists to make money. One way to
put the brakes on malware creation is to make it unprofitable. Sure, countering
their technology is one way to cut the profits. A brand-new threat is most
profitable immediately after its release, breaks even after it has spread
enough, and tapers off once antivirus tools start to counter it. Pushing
antivirus detection so it occurs before break-even would definitely cramp their
style.

It is always a good practice to avoid reposting information as instructed in this hoax circulating in Facebook. A security firm called Facecrooks shares this informative link

http://facecrooks.com/Internet-Safety-Privacy/hoax-alert-with-the-new-fb-timeline-on-its-way-hover-over-my-name-above-this-doesnt-work.html

HOAX TEXT: “With the new ‘FB timeline’ on its way this week for EVERYONE…please do both of us a favor: Hover over my name above. In a few seconds you’ll see a box that says “Subscribed.” Hover over that, then go to “Comments and Likes” and “Games” and un-click it. That will stop my posts and yours to me from showing up on the side bar(ticker) for everyone to see, but MOST IMPORTANTLY it LIMITS HACKERS from invading our profiles. If you re-post this I will do the same for you. You’ll know I’ve acknowledged you because if you tell me that you’ve done it I’ll ‘like’ it. Thanks”

QUOTE: Sadly, this won’t do anything to protect you from hackers or improve your privacy. A very similar message was circulated when the Facebook ticker was introduced back in September. It caused quite a stir at the time, and it took a day or so for bloggers and social media gurus to get it all sorted out. If you are interested in reading why the message doesn’t work, then we recommend you read this post from our friends at Sophos.

Sunbelt labs warns of a new malicious application that can be installed on Twitter to determine user visitation.  Currently, no application can perform that analysis and this fake application is similar to the versions seen on Facebook and other sites.

Twitter – Avoid New Fake Tracker Application and dangerous URLs
http://sunbeltblog.blogspot.com/2011/12/curious-whos-stalking-you-yes-weve.html

QUOTE: This social media “stalking” thing, to the best of my knowledge, all began on MySpace. We’ve seen them emerge on Twitter, too: our friends at Sophos wrote a so-called “app” that Twitter purportedly released to track a user’s stalker. Only this time, no such app is ever involved. We impore you, Dear Reader, to please exercise caution when clicking links on tweets. Even better: use your better judgment on whether you’d believe a supposedly interesting tweet or not before considering visiting the URL that goes with it. More often than not, scam tweets are designed to sound this way to actually make Internet users click them. Please don’t be fooled.

A special out-of-band security release was performed yesterday to address ASP.net vulnerabilities recently discovered.  Corporate users should especially test and install this security patch expediently.

MS11-100 – Special Microsoft ASP.net security release December 2011
http://technet.microsoft.com/en-us/security/bulletin/ms11-100
http://blogs.technet.com/b/msrc/archive/2011/12/29/microsoft-releases-ms11-100-for-security-advisory-2659883.aspx
http://blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx
http://isc.sans.edu/diary.html?storyid=12295

QUOTE: The security update has a severity rating of Critical and resolves a publicly disclosed remote unauthenticated Denial of Service issue in ASP.NET versions 1.1 and above on all supported versions of .NET Framework. Of note, the new method of hash collision attacks used to exploit this vulnerability is an industry-wide issue affecting various Web platforms, including ASP.NET.

While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible. Consumers are not vulnerable unless they are running a Web server from their computer. More technical details can be found at the Security Research & Defense Blog.

The ISC shares a new WPS vulnerability where brute force PIN attacks could potentially be used to gain unauthorized access

Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability
http://isc.sans.org/diary/Wi-Fi+Protected+Setup+WPS+PIN+Brute+Force+Vulnerability/12292

QUOTE: Wi-Fi Protected Setup (WPS) is a Wi-Fi Alliance specification (v1.0 – available since January 2007) designed to ease the process of securely setup Wi-Fi devices and networks. A couple of days ago US-CERT released a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPS PIN. The vulnerability was reported by Stefan Viehböck and more details are available on the associated whitepaper. In reality, it acts as a “kind of backdoor” for Wi-Fi access points and routers.  The quick and immediate mitigation is based on disabling WPS.

More on WPS Security – Pros & Cons
https://isc.sans.edu/diary.html?storyid=10675

Wi-Fi Best Practices and Protection Resources
http://www.wi-fi.org/knowledge_center_overview.php
http://www.wi-fi.org/files/kc_80_20070104_Introducing_Wi-Fi_Protected_Setup.pdf