Computer News & Safety – Harry Waldron Rotating Header Image

February, 2015:

Data Breach – Update on Anthem attacks

Security researchers have traced the theft of customer data from health insurer Anthem’s data systems to a professor at a Chinese university with links to a defense contractor. A new open-source intelligence analysis of the breach of health insurer Anthem has reinforced theories that the data theft leads back to a Chinese espionage program, security firm ThreatConnect stated on Feb. 27. In the report, which is based on public sources or “open-source” intelligence, security researchers at ThreatConnect and other companies found technical evidence that linked the malware reportedly used in the Anthem attack to a Chinese espionage group and a professor at Southeast University, which works with a government contractor, Beijing Topsec Technology Co.

Facebook – Bug Bounty Hunters paid $1.3 Million in 2014

Paying security researchers to privately identify areas of vulnerability helps strengthen security overtime and this is a good investment process for Facebook given its huge user base

There’s no doubt that Facebook has a problem with malware, spam and cybercrime on its pages. However, it has gone to great lengths to combat these issues with its bug bounty program, which pays individual security researchers and experts who uncover problems with the site. And according to a recent report on the program from Facebook, it’s only getting bigger and better. Facebook has paid out $3 million to researchers around the world since the site started its bug bounty program in 2011. However, $1.3 million of that came in 2014 alone. That total was paid to 321 researchers in 123 countries for an average prize of $1,788. Overall, submissions increased by 16 percent from 2013 to 2014. India reported the most issues, followed by Egypt and the United States.  “Report volume is at its highest levels, and researchers are finding better bugs than ever before,” Facebook wrote in its post announcing the 2014 results. “We’ve already received more than 100 valid reports since the start of the new year.”

EMAIL – Cloudmark highlights dangerous attachment extentions

This PC magazine article shares dangerous file extension in addition to EXE that users should avoid

Most of us now know that if you see a file with the .exe extension as an email attachment, then that file is up to no good and you shouldn’t click on it. But .exe files aren’t the only ones to watch out for. Cloudmark points out other file extensions the bad guys can use.

“We see spammers trying various other executable file names in an attempt to trick unsuspecting users into installing malware,” Cloudmark said in the latest Tasty Spam report. The .exe can be compressed into a .zip or .rar archive to bypass some antispam and antivirus programs. Cloudmark researchers have also seen the .arj archive, an obsolete format, recently. The .zip file may contain a .scr file, which stands for Windows screen saver. It is considered a special type of Windows executable.

Spammers are also using files with the .com extension. It’s unusual to see .com files in use nowadays because the executable is limited in size to 64k. However, it is just big enough to load malware. For many victims, the .com file extension may look like the .com in a URL. “A user tricked into double clicking on a file called may actually be installing a Trojan rather than following a link,” Cloudmark said.

EMAIL – Fraudulent 419 scams include Ebola theme

This PC magazine article warns on 419 scams now include Ebola information to make more realistic. The vast majority of users avoid these scams, but there are enough victims to be profitable, even when odds are less than 1 out of 1,000

Many users are familiar with the 419 scam, named for the section of Nigeria’s criminal code covering this particular form of fraud. The 419 scam comes in two flavors and is popular among spammers. Advanced fee scams promise gold bullion, lottery winnings, or unclaimed inheritances—provided someone pays a small fee to release those funds. The benefactor—actually the victim who received the spam—will never see the promised items. The above letter represents the second type, where the scammer is in a dire situation and needs help. In this case, the scammer says he or she wishes to escape Liberia because of the Ebola epidemic.

Internet Security – Browser Tracking Techniques

This informative article from Internet Storm Center shares browser tracking techniques

There are a number of different use cases to track users as they use a particular web site. Some of them are more “sinister” then others. For most web applications, some form of session tracking is required to maintain the user’s state. This is typically easily done using well configured cookies (and not the scope of this article). Session are meant to be ephemeral and will not persist for long.  Over the years, browsers and plugins have provided a number of ways to restrict this tracking. Here are some of the more common techniques how tracking is done and how the user can prevent (some of) it:

1 – Cookies
2 – Flash Cookies (Local Shared Objects)
3 – IP Address
4 – User Agent
5 – Browser Fingerprinting
6 – Local Storage
7 – Cached Content
8 – Canvas Fingerprinting
9 – Carrier Injected Headers
10 – Redirects
11 – Cookie Respawning / Syncing

Antivirus – AV-Test product of year awards for 2014

Several AV companies won product of year awards from independent testing firm AV-Test recently

The Best of 2014 –  The award for best protection goes to Trend Micro. Not only did Trend consistently take high marks for protection, it also did well in the other two categories. For least impact on performance, Kaspersky took the prize. It demonstrated “no negative impact on the speed of the computer” and again scored well in the other two tests.

Avira earned Best of 2014 for usability, because it “always achieved outstanding results in all the test units.” Of course, low false positives aren’t meaningful unless coupled with good detection of actual malware. Avira accomplished that in AV-Test’s evaluation, though it didn’t do so well in our own testing.

Other Awards –  AV-Test rates both consumer and corporate security products. The full report also includes a corporate winner in each category.  Of course, malware isn’t just a Windows problem. Android, in particular, is becoming a very popular target. In the Android realm, two vendors shared top honors, Qihoo and Cheetah Mobile. The report also honored Kaspersky Virus Removal Tool as the best utility to make repairs after a malware attack

Leadership – Turning losses into victories

Another excellent monthly article related to management and leadership skills

It’s hard to learn when we’re feeling down, because then we have to do things that aren’t natural. It’s hard to smile when we are not happy. It is difficult to respond with a good attitude when we’re numb with defeat. How will we face others when we are humiliated? How do we get back up when we are continually knocked down?

If you really want to become a learner, you need to change the way you look at your losses or mistakes and develop some important qualities that will help you respond to them. I hope this book will be of value to you, teaching you how to learn from your losses. Most of us need someone to help us figure out how to do that.

Malware – Hard Drive Firmware risk discovered

Researchers have discovered a new low-level machine language attack that can be hidden in the firmware that controls disk operations.

Someone out there figured out how to hide persistent, invisible espionage malware inside the firmware of your hard drives. Now it’s been discovered that they’ve been using it to spy on targets for nearly 20 years. This particular piece of malware is delivered via modified hard drive firmware, and Kaspersky says that it’s compatible with nearly all major hard drive brands: Seagate, Western Digital, Samsung, you name it. Once it’s there, it’s nearly impossible to get rid of or even detect. Since it’s not taking up space on the hard drive’s platters, it can easily re-infect a system even after a drive has been fully formatted.

Sarbanes-Oxley – Best practices in preparing for external audit

Some excellent planning excerpts from this informative article:

The SOX compliance requirements are complex and detailed. If you have an annual Sarbanes-Oxley audit on the horizon, brush up on your responsibilities and prep work in these recommended steps:

1. There are ways to streamline compliance efforts for the biggest SOX hurdle: SOX 404. For example, test only the internal controls that could lead to a material misstatement if they failed. By filtering out just this subset of controls, you’ll save time and effort in the long run.

2. Create a flow chart of processes, procedures and related activities in the organization so you know where to place controls to prevent errors.

3. Review your data governance and security protocols

4. Most SOX-regulated IT organizations use COBIT, ITIL or another governance methodology to ensure consistent practices.

5. All this internal SOX audit preparation is a gateway to compliance best practices and easier protection of new IT initiatives, such as virtual desktops or cloud.

6. Don’t forget about software as a service (SaaS). Sensitive data frequently resides off-site on these third-party SaaS applications, and auditors are adapting to fetter out non-compliance. If your organization relies on SaaS vendors, verify that they keep data SOX-compliant with SAS 70 reports.

7. The right auditor makes the entire process run more smoothly. Choose a company that has experience in your specific industry.

8. There’s nothing wrong with asking questions about what you’ll be audited on and what the auditors’ methods will be. It will help your IT organization prepare and avoid common mistakes.

Microsoft Security Updates – FEBRUARY 2015

Critical Security updates to Microsoft Windows, Office, IE, and other products became available on Patch Tuesday and users should promptly update for the best levels of protection against new threats

Microsoft is releasing the following nine security bulletins for newly discovered vulnerabilities:

Bulletin ID: MS15-009
Bulletin Title: Security Update for Internet Explorer (3034682)
Max Severity Rating: Critical
Vulnerability Impact: Remote Code Execution

Bulletin ID: MS15-010
Bulletin Title: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
Max Severity Rating: Critical
Vulnerability Impact: Remote Code Execution

Bulletin ID: MS15-011
Bulletin Title: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)
Max Severity Rating: Critical
Vulnerability Impact: Remote Code Execution

Bulletin ID: MS15-012
Bulletin Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)
Max Severity Rating: Important
Vulnerability Impact: Remote Code Execution

Bulletin ID: MS15-013
Bulletin Title: Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)
Max Severity Rating: Important
Vulnerability Impact: Security Feature Bypass

Bulletin ID: MS15-014
Bulletin Title: Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)
Max Severity Rating: Important
Vulnerability Impact: Security Feature Bypass

Bulletin ID: MS15-015
Bulletin Title: Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
Max Severity Rating: Important
Vulnerability Impact: Elevation of Privilege

Bulletin ID: MS15-016
Bulletin Title: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)
Max Severity Rating: Important
Vulnerability Impact: Information Disclosure

Bulletin ID: MS15-017
Bulletin Title: Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
Max Severity Rating: Important
Vulnerability Impact: Elevation of Privilege