Harry Waldron - Corporate Security News

Mobile Security - List of Vulnerable Android Smartphones

2011-11-23T15:55:00Z

A recent evaluation by Bit9 is noted below and the actual list can be found in links below

The 12 Most Vulnerable Smartphones
http://securitywatch.pcmag.com/none/290796-the-12-most-vulnerable-smartphones
http://www.bit9.com/orphan-android/

QUOTE: How vulnerable is your smartphone to malware attacks? Android is by far the most targeted mobile operating system, but some popular Android phones made by Samsung, HTC, and Motorola, fare a lot worse than others. Bit9, an enterprise-oriented security vendor, ranked the 12 most vulnerable cell phones (the "dirty dozen") based on how dated its software is out of the box. Android fragmentation is well documented, but your average cell phone user probably doesn’t care if he or she’s on Android 2.3 or Android 2.3.7. Functionally, the versions are similar.

Holiday 2011 - Online Shopping Safety Tips

2011-11-23T15:39:00Z

Below are key safety tips from Facecrooks and Trend Micro for the holiday season:

Holiday 2011 - Online Shopping Safety Tips
http://facecrooks.com/Safety-Center/Internet-Safety-Privacy/Online-Shopping-Safety-Tips.html

QUOTE: Black Friday and Cyber Monday are just around the corner. Many shoppers will avoid the mayhem and madness of brick and mortar establishments in favor of online retailers. Online shoppers are a favorite target of cyber criminals. Your credit card details, banking information and personal data are under constant assault from cyber criminals trying to do you harm. The type of attacks seen by Trend Micro include:

* Blackhat SEO attacks – search results for hot items such as gadgets and others can be poisoned to lead users to malicious sites,

* Scams – coming off as online promos, scams trick users into becoming victims of their malicious schemes that can lead to information and financial theft.

* Session hijacking – users who do their shopping while connected to unsecure networks put themselves at risk of this attack, which involves sniffing through networks for certain kinds of information such as account credentials, and using the said information to impersonate the users and execute actions.

Trend Micro Safety tips
http://blog.trendmicro.com/online-shopping-safety-tips-infographic

Microsoft Security Essentials - New Beta version emerges

2011-11-23T15:18:00Z

A new BETA version of MSE is available with limited participation. Good technical skills are usually required to support beta testing in case issues surface.

Microsoft Security Essentials beta registration opens
http://blogs.technet.com/b/mmpc/archive/2011/11/18/microsoft-security-essentials-beta-registration-opens.aspx

QUOTE: The number of users than can participate in the Beta is limited, so sign up today and we will notify you once the Beta is available for download. We anticipate the Microsoft Security Essentials beta to be available to the general public by the end of the year.

New features in the Beta of Microsoft Security Essentials include:

Enhanced protection through automatic malware remediation - The Beta will clean high-impact malware infections automatically, with no required user interaction.
Enhanced performance - The Beta includes many performance improvements to make sure your PC performance isn’t negatively impacted.
Simplified UI - Simplified UI makes Microsoft Security Essentials Beta easier to use.
New and improved protection engine - The updated engine offers enhanced detection and cleanup capabilities.

Facecrooks - Facebook Safety Blog

2011-11-14T19:49:00Z

This blog highlights new Facebook attacks

Facecrooks - Facebook Safety Blog
http://facecrooks.com/

Facecrooks - Best Practices in using Facebook
http://facecrooks.com/Safety-Center/Safety-Center.html

Facecrooks - Privacy and Security made simple
http://facecrooks.com/Safety-Center/Facebook-Privacy-and-Security-Made-Simple.html

Facebook - Avoid the 15 Second video challenge

2011-11-14T18:40:00Z

Please avoid suspicious links like this on Facebook

Facebook - Avoid the 15 Second video challenge
http://blog.eset.com/2011/11/13/facebook-video-scam-15-seconds-dont-watch-it-at-all

QUOTE: One of my Facebook friends drew my attention today to a fast-spreading link. I'm pleased to say that he knew better than to look at it, but I figured it was worth seeing what it was all about. The link comes with this message, according to Facecrooks.com (a good place to check for stuff like this):

98 Percent Of People Cant Watch This Video For More Than 15 Seconds

CLICK LINK TO WATCH VIDEO & SEE HOW LONG YOU CAN LAST!!

Needless to say, clicking the link is not a good idea. It's a survey scam: if you do follow the link, it takes you to a fake Facebook page that looks as if it contains a video, but if you click the "play" button, it loads a "Share" box so that you can irritate all your friends by spamming them with the same message

Microsoft Hyper-V Security recommendations

2011-11-14T16:55:00Z

Below are key resources for improving Hyper-V security

Simple Security Recommendations When Using Hyper-V
http://technet.microsoft.com/en-us/security/hh535714

QUOTE: Microsoft has a few articles on TechNet that outline some of the key aspects of a secure deployment of the Hyper-V virtualization technology, a feature of Windows Server 2008 R2.

Microsoft Hyper-V Security Best Practices
http://technet.microsoft.com/en-us/library/dd283088(WS.10).aspx

-- Use a Server Core installation of Windows Server 2008 for the management operating system.
-- Do not run any applications in the management operating system—run all applications on virtual machines.
-- Use the security level of your virtual machines to determine the security level of your management operating system.
-- Do not give virtual machine administrators permissions on the management operating system.
-- Ensure that virtual machines are fully updated before they are deployed in a production environment.
-- Ensure integration services are installed on virtual machines.
-- Use a dedicated network adapter for the management operating system of the virtualization server.
-- Use BitLocker Drive Encryption to help protect resources.

Additional Recommendations

FBI Operation Ghost Click - Largest Cybercriminal shutdown in history

2011-11-14T16:18:00Z

As Trend Labs notes, the FBI's Operation Ghost Click initiative is so far the largest cybercriminal shutdown in history

FBI Operation Ghost Click - Largest Cybercriminal shutdown in history
http://blog.trendmicro.com/esthost-taken-down-%e2%80%93-biggest-cybercriminal-takedown-in-history/

QUOTE: On November 8, a long-living botnet of more than 4,000,000 bots was taken down by the FBI and Estonian police in cooperation with Trend Micro and a number of other industry partners. In this operation, dubbed “Operation Ghost Click” by the FBI, two data centers in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia. Here is the link to the press release of the FBI.

The botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider. The following links relate to this entry:

PDF Malware - Increase for holiday season

2011-11-13T02:43:00Z

Sunbelt security warns of holiday package delivery scams and other threats where PDF malware may be circulating

PDF Malware - Increase for holiday season
http://sunbeltblog.blogspot.com/2011/11/pdf-malware-is-back-in-season.html

QUOTE: Avid readers of the GFI Labs blog can attest that they're no strangers to this kind of attack: one receives an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it's either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer.

Our researchers in the AV Labs have been seeing an uptick of this particular campaign, which pose as a message from the United States Postal Service (USPS) and bears the subject "Package is was not able to be delivered please print out the attached label".

Android AV protection test results

2011-11-13T02:36:00Z

AV-Test noted some limitations in recent tests for Android AV products, which are continuing to improve and handle these new threats. Kaspersky, F-Secure, and Zoner were rated among best current solutions

Report: Most Free Android Antivirus Apps Useless
http://securitywatch.pcmag.com/security-software/290411-report-most-free-android-antivirus-apps-useless

QUOTE: Each product was installed on an Android device containing inactive specimens of over 150 recent Android threats. Researchers ran an on-demand scan and recorded how many threats were detected. Kaspersky and F-Secure detected over half. The best free product, Zoner Antivirus, caught 32 percent. All the rest detected under 10 percent, and some didn't detect any samples at all.

Duqu worm - Microsoft Hotfix and other protective measures

2011-11-13T02:23:00Z

Below are 6 recommendations for protection:

PC Magazine -- Six Ways to Protect Yourself from Duqu
http://securitywatch.pcmag.com/malware/290204-six-ways-to-protect-yourself-from-duqu
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/231902310/five-things-to-do-to-defend-against-duqu.html?itc=edit_stub

QUOTE: Six Ways to Protect Yourself from Duqu

1. Microsoft Hotfix available
2. AntiVirus updates
3. Avoid unknown documents
4. Monitor for infected machines on network
5. Watch Port 443 traffic that's unencrypted
6. Keep an eye out for ~DQ files

Microsoft Hotfix available
http://www.pcmag.com/article2/0,2817,2395861,00.asp

Microsoft Security Release - November 2011

2011-11-13T01:02:00Z

These important security updates should be applied promptly:

Microsoft Security Release - November 2011
http://technet.microsoft.com/en-us/security/bulletin/ms11-nov
http://blogs.technet.com/b/srd/archive/2011/11/08/assessing-the-exploitability-of-ms11-083.aspx

ICS Analysis
http://isc.sans.edu/diary.html?storyid=11971

QUOTE: The vulnerability presents itself in the specific scenario where an attacker can send a large number of specially crafted UDP packets to a random port that does not have a service listening. While processing these network packets it is observed that some used structures are referenced but not dereferenced properly. This unbalanced reference counting could eventually lead to an integer overflow of the reference counter

FBI Operation Ghost Click - $14 Million operation shutdown

2011-11-10T15:50:00Z

A sophisticated attack called DNSchanger was successfully shutdown by the FBI.

FBI takes out $14M DNS malware operation
http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911
http://www.networkworld.com/community/blog/fbi-takes-out-14m-dns-malware-operation
http://www.f-secure.com/weblog/archives/00002268.html

QUOTE: US law enforcement today said it had smashed what it called a massive, sophisticated Internet fraud scheme that injected malware in more than four million computers in over 100 countries while generating $14 million in illegitimate income. Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA.

Details of the two-year FBI investigation called Operation Ghost Click were announced today in New York when a federal indictment was unsealed against six Estonian nationals and one Russian national. The six cyber criminals were taken into custody yesterday in Estonia by local authorities, and the U.S. will seek to extradite them. In conjunction with the arrests, U.S. authorities seized computers and rogue DNS servers at various locations.

Beginning in 2007, the cyber thieves used malware known as DNSChanger to infect computers worldwide, the FBI said. DNSChanger redirected unsuspecting users to rogue servers controlled by the cyber thieves, letting them manipulate users' web activity. The defendants also inflicted the following:

* Unwitting customers of the defendants' sham publisher networks were paying for Internet traffic from computer users who had not intended to view or click their ads.

* Users involuntarily routed to Internet ads may well have harbored discontent with those businesses, even though the businesses were blameless.

* And then there is the harm to the users of the hijacked computers. The DNSChanger malware was a virus more akin to an antibiotic-resistant bacterium. It had a built-in defense that blocked anti-virus software updates. And it left infected computers vulnerable to other malware.

Facebook - 600,000 compromised logins on daily basis

2011-11-02T18:10:00Z

On a percentage basis 99.94% of individuals among one billion users are true owners of the account. However, this is still a very large number of compromised accounts.

Facebook - 600,000 compromised logins on daily basis
http://securitywatch.pcmag.com/social-networking/289976-facebook-sees-600-000-compromised-logins-daily

QUOTE: In a recent infographic from Facebook regarding security, the social networking company let the world know it faces approximately 600,000 security threats per day in the form of "compromised" logins. That's a mere 0.06 percent of the 1 billion logins the site sees per day, although it's still a sizable number. "A compromised login' means the person logging in knows the username and password for an account, but we suspect they may not be the actual account holder"

Duqu - exploits zero day Windows kernel vulnerability

2011-11-02T17:32:00Z

The new Duqu malware threat was modeled after and perhaps represents the next version of Stuxnet (one of the most sophisticated malware attacks ever crafted). A recent discovery documents how Duqu exploits the Windows kernel from a malicious Word document. Microsoft is working on a patch to address this vulnerability.

Duqu exploits zero-day flaw in Windows kernel
http://www.computerworld.com/s/article/9221372/Update_Duqu_exploits_zero_day_flaw_in_Windows_kernel
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
http://blogs.mcafee.com/mcafee-labs/of-kernel-vulnerabilities-and-zero-dayz-a-duqu-update
http://www.f-secure.com/weblog/archives/00002263.html

QUOTE: The Duqu trojan infects systems by exploiting a previously unknown Windows kernel vulnerability that is remotely executable, security vendor Symantec said today. Symantec said in a blog post that CrySys, the Hungarian research firm that discovered the Duqu Trojan earlier this month, has identified a dropper file that was used to infect systems with the malware.

The installer file is a malicious Microsoft Word document designed to exploit a zero-day code execution vulnerability in the Windows kernel. "When the file is opened, malicious code executes and installs the main Duqu binaries" on the compromised system, Symantec said. Once Duqu is able to get a foothold in an organization through the zero-day exploit, the attackers can command it to spread to other computers. In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares.

Kaspersky Labs - More on Duqu
http://www.securelist.com/en/blog/208193182/The_Mystery_of_Duqu_Part_One
http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Two
http://www.securelist.com/en/blog/208193206/The_Mystery_of_Duqu_Part_Three
http://www.securelist.com/en/blog/208193178/Duqu_FAQ

Facebook - How to harden your account settings

2011-11-01T18:28:00Z

The Avira Security blog shares basic tips on how to strengthen account setting controls in Facebook to improve safety

Facebook - How to harden your account settings
http://techblog.avira.com/2011/11/01/improve-your-security-6-harden-your-facebook-account/en/

QUOTE: In order to configure the access to your Facebook account setting controls, you must go to Home >>> Account Settings >>> Security Tab

You can select in this window a couple of options. Read below what each of them means.

* Secure Browsing - if activated, no matter where you are, as soon as you login in your account you will use Facebook over an encrypted connection. It is highly recommended to always activate this option.

* Login Notifications - can notify you when your account is accessed from a computer or mobile device that you haven’t used before. There are two notification methods available : Email and Text message. It is highly recommended to use at least Email.

* Login Approvals – requires to enter a security code each time an unrecognized computer or device tries to access your account. Recommended to be activated. This requires to have a mobile phone to be set up in the account.

* App Passwords - if the Login Approvals is activated, some Apps might not be able to function because they are not ready to work with codes. Instead, you could generate a password for these Apps which is different than your Facebook password. This allows a more granular control over your security. Highly recommended if you use third party Apps.

* Recognized Devices – Facebook will store a cookie on your device as soon as you login. If that cookie is no longer found, Facebook will consider the device you are using a new one and will ask for authentication. If you use many computers, enabling this option is highly recommended.

* Active Sessions – this options allows you to remotely control the sessions which are using your account. This means nothing else than removing from the server side the cookie which was created on login. If you think that your account was misused, the first thing to do is to end all active sessions and change your password.