Search This Blog

Wednesday, September 26, 2012

WindowSecurity.com Newsletter - September 2012

-------------------------------------------------------
WindowSecurity.com Newsletter - September 2012
Sponsored by: ManageEngine
<http://www.manageengine.com/products/netflow/network-security-white-paper.html?utm_source=wownsec&utm_medium=newsletter&utm_campaign=textlinkNFA&utm_term=aug12&utm_content=>
-------------------------------------------------------

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com


1. Editor's Corner
-------------------------------------------------------

* Zero-day IE Vulnerability Fix May Not Work

This latest zero-day hole in Internet Exploder (yeah, that was on purpose)
is a doozy. If you missed the alert last Monday, here it is:
http://technet.microsoft.com/en-us/security/advisory/2757760

However, the media makes this into a much bigger issue than it really is.
As you would expect with an Advanced Persistent Threat (APT) like this,
Microsoft has received reports of only a small number of targeted attacks so
far.

They announced they were looking into reports of a vulnerability in IE6,7,8,
and IE9 (not IE 10 by the way, the version which ships next month in Win8.)
that affects the way how IE accesses objects that have been deleted or
improperly allocated. According to reports, hackers have been exploiting
the vulnerability to install the Poison Ivy Trojan via a drive-by download.
Poison Ivy can be used to steal data or take remote control of workstations.
It looks like the hackers are targeting defense contractors, meaning it's
likely that a foreign state is behind this APT attack.

Some people are going overboard and recommending not using IE at all. That
is slightly exaggerated. If an organization has standardized on a particular
browser, it is a headache to switch to another one. You need to configure
it correctly and do compatibility-testing, and Microsoft comes out with
patches for zero-days pretty fast (e.g. in days instead of weeks).
Redmond recommends to deploy their Enhanced Mitigation Experience Toolkit
(EMET) in order to prevent being exploited. I would take a look at it:
http://www.microsoft.com/en-us/download/default.aspx
---------------------------

* Quotes Of The Month:

"There are in fact two things, science and opinion; the former begets
knowledge, the latter ignorance." -- Hippocrates

"The reality of the world today is that grounding ethics in religion
is no longer adequate." -- DalaiLama

Warm regards,

Stu Sjouwerman
Editor, WindowSecurity News
Email me at feedback@windowsecurity.com


2. Prevent Email Phishing
-------------------------------------------
Want to stop Phishing Security Breaches? Did you know that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear-phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly "security awareness" trained.

IT Security specialists call it your phishing attack surface. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Find out now which of your email addresses are exposed with the free Email Exposure Check (EEC). An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.

Sign Up For Your Free Email Exposure Check Now http://www.knowbe4.com/email-exposure-check/



3. Security Detail
----------------------------------------

* 30% Of European Organizations Refuse To Implement BYOD

"Imation released research which shows that German workers are most
likely to follow rules around secure remote working, with 50% of German
respondents saying that they always follow company rules compared to
just over one third (36%) of UK respondents. The study was conducted
by independent research organizations among office workers in France,
Germany and the UK.

Almost one fifth (18%) of UK respondents admitted to ignoring the rules
even though they are aware of them, compared to just 6% of Germans who
take the same lax approach to IT security. French workers are the least
aware of IT security policies, with one quarter (25%) claiming that
they do not know their company's rules on remote working.

The results may help to explain the seeming reluctance of organizations
to implement "bring your own device" (BYOD) schemes, with almost one
third (32%) of businesses not permitting staff to use personal devices
such as laptops, smartphones and tablets at work. The independent research,
which was carried out in France, Germany and the UK, demonstrates severe
shortcomings in corporate security policies and the provision of technology
to support remote working guidelines." Here is the full story at
net-security.org:
http://www.net-security.org/secworld.php?id=13621
--------------------------

* Accessing Active Directory Information with LDP

In this article, Derek Melber will expose some security issues related
to LDAP and Active Directory, using a free Microsoft tool called LDP.exe

"Active Directory is the most popular network directory used by corporations
throughout the world. This does not mean that there are no other popular
network directories, but Microsoft's Active Directory (AD) runs most
corporate networks. With this said, it is key to understand the security
issues implications, whether you are aware of them or not. Every operating
system has flaws and every operating system has vulnerabilities. Microsoft
seems to be highest on the list, but that is just because it is everywhere,
unlike other operating systems which have some market share, just not the
volume that Microsoft does (IMHO). In this article, I am going to expose
the issues related to LDAP and Active Directory, using a free Microsoft
tool called LDP.exe. Anyone can download and run this tool from any
Windows computer. At the end, I will give you some direction on how to
protect yourself against this vulnerability." More:
http://www.windowsecurity.com/articles/Accessing-Active-Directory-Information-LDP.html
----------------------

* Over Half Of Android Devices Have Unpatched Vulnerabilities

Over half of Android devices are vulnerable to known security flaws that
can be exploited by malicious apps which could gain complete access to
the OS and the data stored, according to a blog post from mobile security
firm Duo Security.

Their numbers are based on 20K scans performed during the last couple
of months with X-Ray, which is their free Android vulnerability assessment
X-Ray scans devices for known privilege escalation vulnerabilities that
exist in various versions of the mobile operating system.

I downloaded X-Ray and looked at it for myself. It scans for 8 known
exploits and sees if the phone is vulnerable. Not sure if that is very
comprehensive, knowing there are 13,000 Android malware strains out there.
My Sprint Android 4.04 version was fully patched it said.

"Since we launched X-Ray, we've already collected results from over 20,000
Android devices worldwide," security researcher Jon Oberheide, who is
co-founder and CTO of Duo Security, said Wednesday in a blog post:
https://blog.duosecurity.com/2012/09/early-results-from-x-ray-over-50-of-android-devices-are-vulnerable/


4. SecureToolBox
-----------------------------------------------

* Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/

* Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/


5. ViewPoint – Your Take
-------------------------------------------

Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com

6. SecOps: What You Need To Know
--------------------------

* My Top 3 Security Sites

A customer asked me what my three top security websites are. I had to
think for a bit, and then had to conclude that these three were my faves.
You might like these too, so here they are, not necessarily in order of
importance, however I have been reading InfoWorld since 1981. My Top 3
fave security sites are:
1) http://www.infoworld.com/d/security
2) http://www.virusbtn.com/vb100/index
3) http://www.csoonline.com/
And as a bonus of course http://www.WindowSecurity.com !!
---------------------------

* How To Protect Your Mobile Platforms

The first mobile virus was reported in 2004 and a lot has happened since
then with the emergence of mobile platforms like Android and iOS devices.
Mobile devices are now the PC in your pocket so should we be applying
the same level of security to these devices?

Introduction-Past verses Present

Mobile devices today are small powerful mobile PC's despite their size
and appearance; however the devices are fully functional. The mobile
device of the past, with its voice and simple text functionality has
advanced exponentially. These advancements in mobile computing have
presented security risks to become more prevalent and more damaging
compared with the first mobile attacks of 2004. There are billions
of mobile devices at the moment with at least 2 billion being smart
devices. These devices are now the target of malware writers and hackers.
Here is the article by Ricky Magalhaes:
http://www.windowsecurity.com/articles/Mobile-security-updates-2012.html
--------------------

* 5 BYOD Deployment Rules

(1) To start off with, have a BYOD project leader that has the authority
to enforce the required policies, procedures, and training to get BYOD
implemented securely.

(2) Create clear and concise policy regarding BYOD for both IT and the
end-users in your organization. Next, create computer-based end-user
mobile security training that lays out these security policies and step
all users through this training. That will create a higher understanding
and compliance level, while having someone simply read and sign a paper document is
a recipe for security breaches.

(3) Enforce a strong password policy, which has been part of the
end-user training in step 2. For confidential data, implement
two-factor authentication. But to prevent password fatigue, deploy
Single Sign On (SSO) or use a password manager like LastPass which
for the end-user has a similar functionality. Ideally you implement
a so called 'Federated ID' which allows users to log in across all
systems and applications they are authorized for with the same
user name and password.

(4) Deploy secure remote access using a VPN that runs on SSL. Now
that you have an authenticated user, you need a secure connection.
With a VPN employees can connect to the office without worrying that their
datasteam will be caught and broken into by the bad guys. A VPN does
not provide 100% security but it provides a much harder target to crack.

(5) Onboarding and Termination needs to be managed tightly. When an
employee gets hired, they need to get stepped through the security
awareness training and mobile security training as part of the
onboarding process. When an employee leaves, their network access
should be terminated at the very same time. You need management
software that controls devices from the organization's side, which
allows you to take away access in a few seconds.


7. Hackers' Haven
--------------------------

* Infosecurity - Beware Of iPhone Delivery Phishes

Hackers have a great new reason to send you a UPS notification regarding
your new iPhone 5 shipment. In times like this – when people are eagerly
waiting for an email of this type – the risk is great that recipients
will have their guards down and will run the attached file. Be extra
careful if you're waiting for a delivery notification. More at:
http://www.infosecurity-magazine.com/view/28335/beware-of-iphone-delivery-phishes/
--------------------------

* Who Is The Most Dangerous Cyber Celebrity?

Emma Watson has replaced Heidi Klum as McAfee's 2012 most dangerous
celebrity to search for online. For the sixth year in a row, McAfee
researched popular culture's most famous people to reveal the riskiest
Hollywood actors, athletes, musicians, politicians, designers, and
comedians on the Web. Here is the whole story at Help Net Security:
http://www.net-security.org/secworld.php?id=13556
-------------------------

* Malware Dragnet Snags Millions of Infected PCs

Brian Krebs has a very interesting post about how Microsoft made headlines
when it scored an unconventional if not unprecedented legal victory.

"Convincing a U.S. court to let it seize control of a Chinese Internet
service provider's network as part of a crackdown on piracy. I caught up
with Microsoft's chief legal strategist shortly after that order was
executed, in a bid to better understand what they were seeing after
seizing control over more than 70,000 domains that were closely
associated with distributing hundreds of strains of malware. Microsoft
said that within hours of the takeover order being granted, it saw more
than 35 million unique Internet addresses phoning home those 70,000
malicious domains." Here is the full story:
http://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/


8. Fave links & Cool Sites
--------------------------

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Bard Canning spent four weeks working frame-by-frame to produce the ultimate
Mars Curiosity descent video: 30fps true motion-flow interpolation, color and
detail enhanced, 1080p and sound. Watch this full screen in HD!:
http://www.flixxy.com/the-ultimate-mars-curiosity-descent-video-30fps-real-time-1080p.htm
---
It is possible that Mars once was as lush as Earth is today. So, what happened?
http://www.flixxy.com/how-planet-mars-may-have-lost-its-atmosphere.htm
---
Fifty cities In Michigan sing: "It's Always A Good Time": Love this one.
Only in the U.S. of A !!
http://www.flixxy.com/fifty-cities-in-michigan-sing-its-always-a-good-time.htm
---
Do a simple test ... Watch this video and count the red cards in the deck:
Dang they got me:
http://www.flixxy.com/count-the-red-cards.htm
---
DARPA releases video of new-and-improved LS3 quadruped robots. Getting eery:
http://youtu.be/40gECrmuCaU
---
Aussie-made sci-fi short film looks incredible:
http://www.cnet.com.au/aussie-made-sci-fi-short-film-looks-incredible-339341569.htm
---
The Flying Bicycle: On 9 November 1961, Derek Piggott was the first person
to become airborne on a bicycle-powered aircraft:
http://www.flixxy.com/the-flying-bicycle-1962.htm
---
Dilbert on Network Monitoring. Hehe:
http://www.dilbert.com/strips/comic/2012-09-04/
---
Slideshow: The 12 most dreaded help desk request:
http://www.infoworld.com/slideshow/64713/the-12-most-dreaded-help-desk-requests-202273
---
Taking the bus has never been cooler than in this funny Danish TV commercial.
http://www.flixxy.com/epic-bus-ad-from-denmark.htm
---
Have you ever seen a supersonic aircraft roar right over your head? A driver
in Russia had this exact experience when an Su-24 jet flew just a few dozen
meters over his car:
http://www.flixxy.com/russian-su-24-fighter-jet-buzzes-highway-drivers.htm


TechGenix Sites
----------------------------------------------------------------
ISAserver.org <http://www.isaserver.org/>
MSExchange.org <http://www.msexchange.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
WServerNews.com <http://www.wservernews.com/>

----------------------------------------------------------------
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@windowsecurity.com

Copyright c WindowSecurity.com 2012. All rights reserved.

No comments: