Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: email@example.com
Zero-day IE Vulnerability Fix May Not Work
This latest zero-day hole in Internet Exploder (yeah, that was on purpose) is a doozy. If you missed the alert last Monday, here
However, the media makes this into a much bigger issue than it really is. As you would expect with an Advanced Persistent Threat (APT) like this, Microsoft has received reports of only a small number of targeted attacks so far.
They announced they were looking into reports of a vulnerability in IE6,7,8, and IE9 (not IE 10 by the way, the version which ships next month in Win8.) that affects the way how IE accesses objects that have been deleted or improperly allocated. According to reports, hackers have been exploiting the vulnerability to install the Poison Ivy Trojan via a drive-by download. Poison Ivy can be used to steal data or take remote control of workstations. It looks like the hackers are targeting defense contractors, meaning it's likely that a foreign state is behind this APT attack.
Some people are going overboard and recommending not using IE at all. That is slightly exaggerated. If an organization has standardized on a particular browser, it is a headache to switch to another one. You need to configure it correctly and do compatibility-testing, and Microsoft comes out with patches for zero-days pretty fast (e.g. in days instead of weeks). Redmond recommends to deploy their Enhanced Mitigation Experience Toolkit
(EMET) in order to prevent being exploited. I would take a look at it: http://www.microsoft.com/en-us/download/default.aspx
Quotes Of The Month
"There are in fact two things, science and opinion; the former begets knowledge, the latter ignorance." -- Hippocrates
"The reality of the world today is that grounding ethics in religion is no longer adequate." -- DalaiLama
Editor, WindowSecurity.com Newsletter
Email me at firstname.lastname@example.org
Released: Kevin Mitnick Security Awareness Training
Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.
Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did.
30% Of European Organizations Refuse To Implement BYOD
"Imation released research which shows that German workers are most likely to follow rules around secure remote working, with 50% of German respondents saying that they always follow company rules compared to
just over one third (36%) of UK respondents. The study was conducted by independent research organizations among office workers in France, Germany and the UK.
Almost one fifth (18%) of UK respondents admitted to ignoring the rules even though they are aware of them, compared to just 6% of Germans who take the same lax approach to IT security. French workers are the least
aware of IT security policies, with one quarter (25%) claiming that they do not know their company’s rules on remote working.
The results may help to explain the seeming reluctance of organizations to implement “bring your own device” (BYOD) schemes, with almost one third (32%) of businesses not permitting staff to use personal devices such as laptops, smartphones and tablets at work. The independent research, which was carried out in France, Germany and the UK, demonstrates severe shortcomings in corporate security policies and the provision of technology to support remote working guidelines." Here is the full story at net-security.org: http://www.net-security.org/secworld.php?id=13621
Accessing Active Directory Information with LDP
In this article, Derek Melber will expose some security issues related to LDAP and Active Directory, using a free Microsoft tool called LDP.exe
"Active Directory is the most popular network directory used by corporations throughout the world. This does not mean that there are no other popular network directories, but Microsoft’s Active Directory (AD) runs most corporate networks. With this said, it is key to understand the security issues implications, whether you are aware of them or not. Every operating system has flaws and every operating system has vulnerabilities. Microsoft seems to be highest on the list, but that is just because it is everywhere, unlike other operating systems which have some market share, just not the volume that Microsoft does (IMHO). In this article, I am going to expose the issues related to LDAP and Active Directory, using a free Microsoft tool called LDP.exe. Anyone can download and run this tool from any Windows computer. At the end, I will give you some direction on how to protect yourself against this vulnerability." More: http://www.windowsecurity.com/articles/Accessing-Active-Directory-Information-LDP.html
Over Half Of Android Devices Have Unpatched Vulnerabilities
Over half of Android devices are vulnerable to known security flaws that can be exploited by malicious apps which could gain complete access to the OS and the data stored, according to a blog post from mobile security firm Duo Security.
Their numbers are based on 20K scans performed during the last couple of months with X-Ray, which is their free Android vulnerability assessment X-Ray scans devices for known privilege escalation vulnerabilities that exist in various versions of the mobile operating system.
I downloaded X-Ray and looked at it for myself. It scans for 8 known exploits and sees if the phone is vulnerable. Not sure if that is very comprehensive, knowing there are 13,000 Android malware strains out there. My Sprint Android 4.04 version was fully patched it said.
"Since we launched X-Ray, we've already collected results from over 20,000 Android devices worldwide," security researcher Jon Oberheide, who is co-founder and CTO of Duo Security, said Wednesday in a blog post: https://blog.duosecurity.com/2012/09/early-results-from-x-ray-over-50-of-android-devices-are-vulnerable/
ViewPoint - Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at email@example.com
SecOps: What You Need To Know
My Top 3 Security Sites
A customer asked me what my three top security websites are. I had to think for a bit, and then had to conclude that these three were my faves. You might like these too, so here they are, not necessarily in order of importance, however I have been reading InfoWorld since 1981. My Top 3 fave security sites are:
And as a bonus of course http://www.WindowSecurity.com!
How To Protect Your Mobile Platforms
The first mobile virus was reported in 2004 and a lot has happened since then with the emergence of mobile platforms like Android and iOS devices. Mobile devices are now the PC in your pocket so should we be applying the same level of security to these devices?
Introduction-Past versus Present
Mobile devices today are small powerful mobile PC’s despite their size and appearance; however the devices are fully functional. The mobile device of the past, with its voice and simple text functionality has advanced exponentially. These advancements in mobile computing have presented security risks to become more prevalent and more damaging compared with the first mobile attacks of 2004. There are billions of mobile devices at the moment with at least 2 billion being smart devices. These devices are now the target of malware writers and hackers.Here is the article by Ricky Magalhaes: http://www.windowsecurity.com/articles/Mobile-security-updates-2012.html
5 BYOD Deployment Rules
- To start off with, have a BYOD project leader that has the authority to enforce the required policies, procedures, and training to get BYOD implemented securely.
- Create clear and concise policy regarding BYOD for both IT and the end-users in your organization. Next, create computer-based end-user mobile security training that lays out these security policies and step all users through this training. That will create a higher understanding and compliance level, while having someone simply read and sign a paper document is a recipe for security breaches.
- Enforce a strong password policy, which has been part of the end-user training in step 2. For confidential data, implement two-factor authentication. But to prevent password fatigue, deploy Single Sign On (SSO) or use a password manager like LastPass which for the end-user has a similar functionality. Ideally you implement a so called ‘Federated ID’ which allows users to log in across all systems and applications they are authorized for with the same user name and password.
- Deploy secure remote access using a VPN that runs on SSL. Now that you have an authenticated user, you need a secure connection. With a VPN employees can connect to the office without worrying that their datasteam will be caught and broken into by the bad guys. A VPN does not provide 100% security but it provides a much harder target to crack.
- Onboarding and Termination needs to be managed tightly. When an employee gets hired, they need to get stepped through the security awareness training and mobile security training as part of the onboarding process. When an employee leaves, their network access should be terminated at the very same time. You need management software that controls devices from the organization’s side, which allows you to take away access in a few seconds.
Infosecurity - Beware Of iPhone Delivery Phishes
Hackers have a great new reason to send you a UPS notification regarding your new iPhone 5 shipment. In times like this – when people are eagerly waiting for an email of this type – the risk is great that recipients will have their guards down and will run the attached file. Be extra careful if you're waiting for a delivery notification. More at: http://www.infosecurity-magazine.com/view/28335/beware-of-iphone-delivery-phishes/
Who Is The Most Dangerous Cyber Celebrity?
Emma Watson has replaced Heidi Klum as McAfee's 2012 most dangerous celebrity to search for online. For the sixth year in a row, McAfee researched popular culture’s most famous people to reveal the riskiest Hollywood actors, athletes, musicians, politicians, designers, and comedians on the Web. Here is the whole story at Help Net Security: http://www.net-security.org/secworld.php?id=13556
Malware Dragnet Snags Millions of Infected PCs
Brian Krebs has a very interesting post about how Microsoft made headlines when it scored an unconventional if not unprecedented legal victory.
"Convincing a U.S. court to let it seize control of a Chinese Internet service provider’s network as part of a crackdown on piracy. I caught up with Microsoft’s chief legal strategist shortly after that order was executed, in a bid to better understand what they were seeing after seizing control over more than 70,000 domains that were closely associated with distributing hundreds of strains of malware. Microsoft said that within hours of the takeover order being granted, it saw more than 35 million unique Internet addresses phoning home those 70,000 malicious domains." Here is the full story: http://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/
Fave links & Cool Sites