WindowSecurity.com Newsletter of May 2012 Sponsored by: Collective Software

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com

Affordable Two Factor Authentication with AuthLite

Static passwords are insecure, and strong policies lead to poor user compliance. AuthLite provides OTP security that's painless to use, far more secure, and affordable to any size organization. AuthLite's unique design enables existing password logon applications to support strong two-factor security, without needing drivers or client software changes. This multi-factor authentication solution augments Active Directory's normal password security with an easy to use one-touch token for each user.  Low one time cost per-user, no renewals, hidden fees or hardware expiration.

You can evaluate AuthLite today with no obligation from Collective Software.

Editor's Corner

Is Your Email Front Door Wide Open?

I was interviewed by Jeremy Quittner this week. Here is how he started his article in American Banker a day later: "It took Stu Sjouwerman, the founder and chief executive of security firm KnowBe4, of Clearwater, Fla., about two minutes to launch a successful social engineering attack against me."

What data did I have to get that done? His first name, phone number and the name of his publication, all of it public information. We were supposed to do an interview, so I decided to send him a 'demo'. First I went to the website of American Banker and found out who the Editor in Chief was, and grabbed his email address. Then I searched for and found a recent article that Jeremy had written. Next, I went to a site that allows me to enter a domain name, and it reports back if there is an SPF record (here it is).

Since there was no SPF record, I could spoof the email address of Jeremy's boss, the Editor. I sent him a short email that came supposedly from his boss, and asked if something was wrong with that recent story I had found on the website. I provide a link to the article, without a redirect or a Trojan, but that would have been relatively easy. When we were on the phone, I asked him if he had received an email from his boss. And he admitted he was ready to hang up the phone, click on the link, as this is the thing that reporters fear, stories being queried by the boss.

All of that took a few minutes, and shows how easy it is to social engineer and get an end user to click on a link. For all of you IT security people out there, Only about 30% of sites have an SPF record configured correctly. I strongly advise you to test your own mail server with the link above, and see if your own SPF record is set. If not,
make that priority, as it leaves the front door wide open. And here is the full interview with the American Banker website.

Quotes Of The Month

"Passwords are like underwear. You shouldn’t leave them out where people can see them. You should change them regularly. And you shouldn’t loan them out to strangers." -- Unknown

"I changed all my passwords to ‘incorrect’. So my computer just tells me when I forget." -- Anonymous

Warm regards,

Stu Sjouwerman
Editor, WindowSecurity.com Newsletter
Email me at feedback@windowsecurity.com

Prevent Email Phishing

Image
Sign Up For Your Free Email Exposure

Want to stop Phishing Security Breaches? Did you know that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear-phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

IT Security specialists call it your ‘phishing attack surface‘. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Find out now which of your email addresses are exposed with the free Email Exposure Check (EEC). An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.

Sign Up For Your Free Email Exposure Check Now

Security Detail

How To Avoid 5 Common Email Management Mistakes

Just as I showed in the editorial that a misconfiguration of how email is handled can leave a hole you can drive a truck through, there are other email management mistakes that you need to look out for.

The CSO website has a great article that I warmly recommend.

  • Mistake 1: Pigeonholing email as just an IT function
  • Mistake 2: Complacency with regard to spam and phishing
  • Mistake 3: Failing to consider business critical factors when trusting email to the cloud
  • Mistake 4: Not protecting failover servers
  • Mistake 5: Failure to plan for IPv6

This is a good article to check out and see how you are doing yourself in this regard.

To Whitelist Or To Not Whitelist

Derek Melber wrote a really good article about whitelisting and it's over at the WindowSecurity.com site. He started out with: "There are some key concerns about using whitelisting in your organization to control which applications users can use. In my opinion, whitelisting can be a very powerful tool to help reduce the overall attack surface within your organization. That is, to have the ability to control, one by one, which applications can run and which can’t. However, some issues arise when you start to put the rubber to the pavement in your configuration and implementation of a whitelisting solution. If you can overcome the hurdles that come with deploying a whitelisting
solution, I suggest you implement it as soon as possible. If you can’t overcome the hurdles, there are some other settings that I always suggest along with whitelisting that I think should be done at a minimum. Here is the article.

Recently I have written a whitepaper about whitelisting myself, and fully agree with what Derek thinks. This is an idea whose time has come. The whitepaper looks at whitelisting from the Admin perspective.

Still Run Vista? Redmond Sez: "Infection Rates Climb"!

Microsoft said last week that a skew toward more exploits on Windows Vista can be attributed to the demise of support for the operating system's first service pack. Data from the company's newest security intelligence report showed that in the second half of 2011, Vista Service Pack 1 (SP1) was 17% more likely to be infected by malware than Windows XP SP3, the final upgrade to the nearly-11-year-old operating system. That's counter to the usual trend, which holds that newer editions of Windows are more secure, and thus exploited at a lower rate, than older versions like XP. Some editions of Windows 7, for example, boast an infection rate half that of XP. Story at ComputerWorld.

Affordable Two Factor Authentication with AuthLite

Static passwords are insecure, and strong policies lead to poor user compliance. AuthLite provides OTP security that's painless to use, far more secure, and affordable to any size organization. AuthLite's unique design enables existing password logon applications to support strong two-factor security, without needing drivers or client software changes. This multi-factor authentication solution augments Active Directory's normal password security with an easy to use one-touch token for each user.  Low one time cost per-user, no renewals, hidden fees or hardware expiration.

You can evaluate AuthLite today with no obligation from Collective Software.

SecureToolBox

ViewPoint - Your Take

Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at feedback@windowsecurity.com 

SecOps: What You Need To Know

Busted: When Security Tools Fail

Bill Brenner over at the CSO website had a very good post about the problem that security tools themselves have flaws. He illustrates this with two stories, and the first one is worrisome. Did you know this?

"The first, by Dan Goodin, IT security editor at Ars Technica, is about a smartphone hijacking vulnerability affecting AT&T and 47 other carriers. In what may be the mother of all ironies, the flaw was introduced by a class of firewall products cell phone carriers use.

Goodin writes: "The attack, which doesn't require an adversary to have to have any man-in-the-middle capability over the network, can be used to lace unencrypted Facebook and Twitter pages with code that causes victims to take unintended actions, such as post messages or follow new users. It can also be used to direct people to fraudulent banking websites and to inject fraudulent messages into chat sessions in some Windows Live Messenger apps. Ironically, the vulnerability is introduced by a class of firewalls cellular carriers use. While intended to make the networks safer, these firewall middleboxes allow hackers to infer TCP sequence numbers of data packets appended to each data packet, a disclosure that can be used to tamper with Internet connections." More info here.

Tech Guns For Hire: 5 Places To Find Skilled IT Contractors

Most of you are forced to do more with less, and you usually have open positions that are difficult to fill. Here is some help from ComputerWorld:

"Even for organizations with a stellar full-time IT staff, situations often arise where temporary outside help is needed. A big Web project might demand a few extra programmers to meet a tough deadline, for example, or a rollout of tools to support a sales force bent on capturing a broader market may require expertise not available in-house.

That's when contractors come in. With job losses and uncertain economic times the new norm, independent contractors are on the rise in the U.S. In 2009, the number of U.S. freelancers in all fields stood at 12 million, according to market research firm IDC. That number is expected to reach 14 million by 2015." Here is how to find them.

Survey Finds Energy and Utility Industry Companies Weak on Cyber Risk Management

A recent survey of 108 global companies conducted by the Carnegie Mellon University CyLab and sponsored by RSA and Forbes found that those in the financial sector have the best cyber and information risk management
practices, while companies in the energy and utility industries have the worst. While more than 90 percent of respondents said that they are actively addressing risk management at their organizations, only 33 percent said they were attending to cyber and information security, 29 percent said they were attending to information technology operations, and just 13 percent said they were attending to managing vendors who provide software and other services. Reported by SANS, and link here.

Affordable Two Factor Authentication with AuthLite

Static passwords are insecure, and strong policies lead to poor user compliance. AuthLite provides OTP security that's painless to use, far more secure, and affordable to any size organization. AuthLite's unique design enables existing password logon applications to support strong two-factor security, without needing drivers or client software changes. This multi-factor authentication solution augments Active Directory's normal password security with an easy to use one-touch token for each user.  Low one time cost per-user, no renewals, hidden fees or hardware expiration.

You can evaluate AuthLite today with no obligation from Collective Software.

Hackers’ Haven

Adware Stages Comeback Via Browser Extensions

The Wikimedia Foundation last week warned that readers who are seeing ads on Wikipedia articles are likely using a Web browser that has been infected with malware. The warning points to an apparent resurgence in adware and spyware that is being delivered via cleverly disguised browser extensions and plugins that are bundled with other software or foisted in social engineering schemes. More at Brian Krebs' blog.

Android Hackers Hone Skills In Russia

The malware business growing around Google Android - now the leading smartphone operating system - is still in its infancy. Today, many of the apps built to steal money from Android users originate from Russia and China, so criminal gangs there have become cyber-trailblazers. More at ComputerWorld.

Thwarted By Security At Enterprises, Cyber Criminals Target SMBs

"Big business -- at least a significant percentage of it -- has apparently heeded the decades-long mantra from information security experts, and invested enough in security to make it difficult, expensive and risky for cyber criminals to attack them".

So criminals are seeking easier and safer ways to make money -- by attacking smaller businesses, according to Verizon's 2012 Data Breach Investigations Report (PDF), "A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service."

Verizon's security research director, Wade Baker, told London's The Inquirer that cyber criminals were mass producing their attack techniques and targeting small-and medium-size businesses (SMBs).

Speaking from Verizon's Security Operations Center in Dortmund, Germany, Baker said SMBs are "easy targets" for organized cybercrime compared with larger enterprises. "Cyber criminals have figured out that if their goal
is to make money, attacking a large organization that's well defended and probably has ties to law enforcement that is going to pursue them, is a high-risk solution," he said.

A mass-produced, commoditized attack against smaller organizations with fewer defenses is, "a very low risk," Baker said. More of this story at the Chief Security Officer (CSO) website

Fave links & Cool Sites

Affordable Two Factor Authentication with AuthLite

Static passwords are insecure, and strong policies lead to poor user compliance. AuthLite provides OTP security that's painless to use, far more secure, and affordable to any size organization. AuthLite's unique design enables existing password logon applications to support strong two-factor security, without needing drivers or client software changes. This multi-factor authentication solution augments Active Directory's normal password security with an easy to use one-touch token for each user.  Low one time cost per-user, no renewals, hidden fees or hardware expiration.

You can evaluate AuthLite today with no obligation from Collective Software.